Kaseya Community

How do I exclude an event id from event alerts?

This question has suggested answer(s)

I have an event log alert set up that monitors the Application log for Error, Warning, Failure Audit, Critical.  Which typically is fine, but we also have some exchange servers that have self signed certs so it gives us errors such as below:

Application log generated Warning Event 12015 on pitgsbs08.noc.pitg
For more information see http://www.eventid.net/display.asp?eventid=12015&source=MSExchangeTransport

Log: Application
Type: Warning
Event: 12015
Agent Time: 2013-06-27 15:04:50Z
Event Time: 07:03:11 PM 27-Jun-2013 UTC
Source: MSExchangeTransport
Category: TransportService
Username: N/A
Computer: PITGSBS08.PITG.local
Description: An internal transport certificate expired. Thumbprint:F3ED5EF879EC68045A70A095C17F3D8701196192

Is there a way we can keep the same event alert set in place, but exclude certain event ids?

Thanks,

Clint Wilson

All Replies
  • Hey Clint,

    Within your event alert set you can specify events to ignore to by filtering the information and checking the "ignore" box. So I would do something like the screenshot below for the event set in question (you will probably want to populate the wildcard fields to make sure you're only ignoring those specific errors):

    Hope that helps...

    Regards,

    Kerry



    make this a suggested answer
    [edited by: Kerry D at 1:29 PM (GMT -7) on Jun 28, 2013]
  • Kerry,

    I failed to include a very very important piece of the puzzle. This is being set via a event log settings policy and there is no exclusions I can find in that setup. Unless I am overlooking something completely.

    However, as a quick easy work around I could create an event log set that does exactly what I want and use it in policies as an alert, instead of the event log settings.

  • Hey Clint,

    As far as I know, the Event Log Settings Policy is just for designating which event logs should be sent over to the Kaseya server. I think the label for 'Alert for machine when' is a bit misleading, as there is no way to set the action and thus it is only a "what should be collected" setting. (You can see this in the 'Machine Effective Policy Settings:')

    I'm guessing you probably have an "All Alerts" Event Log Alert configured somewhere(?), which is converting those events into an alarm or ticket or email. If that is the case, you're on the right track and you would want to create the exclusionary Event Set, create a new Alert Policy using that Event Set, and assign it to whatever view is appropriate in Policy Management.

    Kerry



    sorry about that Clint, extra letter in there
    [edited by: Kerry D at 8:50 PM (GMT -7) on Jul 1, 2013]