Back to your phpLogCon instanceHi
It's me agein...
I have tried to make the following filter:
Event ID: 528
Event Source: Security
Time after 02:30:00
Time before 01:30:00
or in words: i want to exclude one hour between 01:30:00 and 02:30:00 (24 hours format, this is a Boot / Maintenance Window).
I cannot find the correct filterconfiguration, can you help ?
Kind regards
MonitorWare Knowledge Base
Your first source for knowledge
MonitorWare - Rule for excluding a Timeperiod
Moderator: alorbach
6 posts • Page 1 of 1
by rgerhards on Fri Jun 25, 2004 3:52 pm
Welcome back 
could you provide us a copy of your configuration via email at support @ adiscon.com. To do so, use the computer menu, there is an option "create registry file". Please do NOT use binary format.
I think there is a problem with the boolean condition tree, but this is hard to troubleshoot without looking at the actual sample.
Rainer
could you provide us a copy of your configuration via email at support @ adiscon.com. To do so, use the computer menu, there is an option "create registry file". Please do NOT use binary format.
I think there is a problem with the boolean condition tree, but this is hard to troubleshoot without looking at the actual sample.
Rainer
-
rgerhards - Site Admin
- Posts: 1667
- Joined: Thu Feb 13, 2003 11:57 am
by alorbach on Fri Jun 25, 2004 3:52 pm
I would recommend the following filter configuration in order to exclude these events at this time:
NOT
|--->AND
| |---> Event ID: 528
| |---> Event Source: Security
| |---> Time after (>) 01:30:00
| |---> Time before (<) 02:30:00
This should work
Edit: Sorry changed the time filters, were in wrong order
Edit2: These filter conditions will only exclude the Event 528 from 01:30 to 02:30, nothing else. I hope this is what you were seaching for
NOT
|--->AND
| |---> Event ID: 528
| |---> Event Source: Security
| |---> Time after (>) 01:30:00
| |---> Time before (<) 02:30:00
This should work
Edit: Sorry changed the time filters, were in wrong order
Edit2: These filter conditions will only exclude the Event 528 from 01:30 to 02:30, nothing else. I hope this is what you were seaching for
-
alorbach - Site Admin
- Posts: 894
- Joined: Thu Feb 13, 2003 11:55 am
by rgerhards on Fri Jun 25, 2004 4:20 pm
Bertolino,
OK, then let's do ASCII-Art... Based on the other calls I worked with you, I think you are actually looking for a filter that will only evaluate to true if it is event 528 but NOT within that time frame. This is not what Andre's solution does.
Here you need this:
AND
|----> Event ID: 528
|----> Event Source: Security
|--->NOT
| |--->AND
| | |---> Time after (>) 01:30:00
| | |---> Time before (<) 02:30:00
This is the equivalent to
if (eventid == 528) and (EventSource = Security) and NOT ((time > 1:30) and (time < 2:30))
... if that pseudo-code helps.
When this condition evaluates to true, you have a 528 event outside this time frame.
HTH,
Rainer
OK, then let's do ASCII-Art... Based on the other calls I worked with you, I think you are actually looking for a filter that will only evaluate to true if it is event 528 but NOT within that time frame. This is not what Andre's solution does.
Here you need this:
AND
|----> Event ID: 528
|----> Event Source: Security
|--->NOT
| |--->AND
| | |---> Time after (>) 01:30:00
| | |---> Time before (<) 02:30:00
This is the equivalent to
if (eventid == 528) and (EventSource = Security) and NOT ((time > 1:30) and (time < 2:30))
... if that pseudo-code helps.
When this condition evaluates to true, you have a 528 event outside this time frame.
HTH,
Rainer
-
rgerhards - Site Admin
- Posts: 1667
- Joined: Thu Feb 13, 2003 11:57 am
by Bertolino on Sat Jun 26, 2004 4:03 pm
Hi
Yes it works.
Thank you very much.
PS: I think my questions are to easy for you, well I will think about
it, perhaps i will find something more difficult for you !
Kind regards
Yes it works.
Thank you very much.
PS: I think my questions are to easy for you, well I will think about
it, perhaps i will find something more difficult for you !
Kind regards
- Bertolino
- Advanced
- Posts: 36
- Joined: Mon Jun 21, 2004 8:59 am
- Location: Switzerland
by rgerhards on Mon Jun 28, 2004 8:52 am
Bertolino wrote:PS: I think my questions are to easy for you, well I will think about
it, perhaps i will find something more difficult for you !
Keep trying - good suggestions and questions are always welcome
Also: if you can give us a hint what would have made starting with the product easier for you - let us know, too
-
rgerhards - Site Admin
- Posts: 1667
- Joined: Thu Feb 13, 2003 11:57 am
Google Ads
6 posts • Page 1 of 1
Who is online
Users browsing this forum: No registered users and 0 guests
