With noisy operating systems like Windows Server 2008/2012 and chatty network devices churning out oodles of Syslog and SNMP messages, important critical and error events can be diluted by a flood of other insignificant events. In addition, these insignificant or unwanted events can consume valuable server, network and database resources. In this tech-tip we’ll revisit the Excluding Events “on-the-fly” feature in ELM Enterprise Manager which allows you to quickly quiet down and cut through those noisy events; even exclude them from collection altogether.

Excluding an Event
When going through Views within the ELM console, a busy environment can often have Views that are flooded with information you may not care to see. For example, a chatty firewall may be generating a ton of Syslog messages that you don’t really care about or at least don’t care to see in a view.

An easy way to determine where the noise on your network is coming from is to navigate to your view of choice and then click the || Pause link (1) at the bottom of the view in the task pane.

Advanced Event Filters 1

 

Next we’ll switch the view to Summary View (2), and then sort the events by Count (3) so we see a top-down or descending count view.

Advanced Event Filters 2

 

Now you can easily scroll through the noise and see which events are the most prevalent and which ones you can do without.

Advanced Event Filters 3

 

In this example, we’ll take the Informational Event ID 166 being generated from the PIX Firewall in the lab here. Right-clicking on that event and sliding down to All Tasks, we can see a context menu giving a few options for exclusion.

Excluding an Event from Notification Rules
The first option from the All Tasks menu is to ‘Exclude this Event from all Notification Rules.’ If you are receiving notifications such as the ELM Advisor desktop popup or emails about a particular event you wish to quiet down, selecting this option will create a filter to exclude that event from triggering any Notification Rules. This is a great way to quickly fine tune and clean up your Notifications to only those you want and quiet down those you don’t. The event in question is still being collected, however ELM is no longer sending out messages to administrators for an event that they may already know of and do not wish to be notified about anymore.

Excluding an Event From an Event View
When ‘Exclude this Event from this View’ is selected, ELM automatically creates an exclude filter in the View for that particular event. If you click Continue in the task pane to relaunch the dynamic refresh of the View, you will no longer see this event in this View. It is still being collected, but no longer being displayed.

*Caution: by adding this filter to the “All — Events View” Event View, in versions of ELM prior to 6.5 will completely stop writing this event to the database. You may still receive notifications for the event, but it’s no longer being stored. Make sure this is your intention before proceeding!

Do Not Collect a Specific Event At All
The last option we’ll discuss from the All Tasks menu is the ability to configure the ELM Agent(s) to not collect a particular event from any agents. Perhaps the Syslog message event in question is being worked on and you don’t want or need to report on it or store it in your database. By choosing ‘Do not Collect this Event from any Event Logs’ ELM applies a filter at the monitor item level, at the collector itself running on your systems. We’ve now created an exclusion filter at the point of collection. This event will no longer be collected at all.

So there are three levels of filtering based on the significance of the event and how you want to handle it.

  1. Exclude from Notification Rules – You don’t want to be notified about it anymore.
  2. Exclude from Views – You just don’t want to see it anymore.
  3. Exclude from Collection – It’s just noise and you want to turn it off completely.

Whether you are monitoring Windows Server 2003, 2008,or 2012 there is typically a lot of noise in the event logs of these operating systems as well as with Syslog and SNMP messages from other devices. ELM Enterprise Manager provides quick and easy filtering capabilities that you can generate on-the-fly to improve your monitoring experience with ELM.

We hope that you found this article on Advanced Event Filtering Options for Less Noise in Your Environment useful and wish you continued success with ELM.