If NO or ALL event logs types and categories are collected for a machine, then event log alerts are generated for that machine. If SOME event log types and categories are collected for a machine, then NO event log alerts are generated.
We typically capture error and warning events across a large number of machines. We want to alarm on a few informational alarms, which means capturing all of them. The problem with Information is that there are so many it becomes crazy trying to look things up.
My understanding is to create an alert, we first have to capture the events. The above line from the help seems to say differently. Anyone more familiar with this. If we don't actually capture the events, will we still get alerts?
You do not need to collect events in order to alarm on them....this changed several iterations ago.
But they are correct that if you only collect some events then alerting doesn't work. Really not the best situation as we would like to record certain security related events in case we need to retrace a breach but, as you note, collecting everything quickly becomes unwieldy.