Yes it can get a bit messy.... your best bet would be to create a high priority event set that fires off emails only when selected important events occur.. we use: <?xml version="1.0" encoding="ISO-8859-1" ?> <event_sets> <set_elements setName="High Priority Events" eventSetId="44830995"> <element_data ignore="0" source="EventLog" category="*" eventId="-1" username="*" description="*"/> <element_data ignore="0" source="Storage Service" category="*" eventId="-1" username="*" description="*"/> </set_elements> </event_sets> This fires off emails only when those specific events occur.... the rest of the error events we leave to get picked up as standard alerts. This one shows us HDD events for Dell servers, and the dreaded "The previous system shutdown at xxxxx on xxxx was unexpected" We then add to it only items that require our immediate attention. We typically use about 8 event sets for servers and 5 for workstations... each deals with specific problems and we can then decide on appropriate alerting: APC Powerchute Events Backup Event Sets Exchange 2000/2003/2007 Common Server Events Common Workstation Events IIS 5.0/6.0 ISA Server 2000/2004 AntiVirus Events We also use an excluded event list to filter out those annoying messages that really dont mean much... we find that windows event logs can be full of repeated error messages that we either cant fix or dont care about... we just add them to a big list and update it when we find new annoying messages. I am sure other companies do it differently but its a case of finding the right fit for your resources.Legacy Forum Name: Event Sets, Legacy Posted By Username: dgrout@datrix.co.uk