I have an event log alert set up that monitors the Application log for Error, Warning, Failure Audit, Critical. Which typically is fine, but we also have some exchange servers that have self signed certs so it gives us errors such as below:
Application log generated Warning Event 12015 on pitgsbs08.noc.pitgFor more information see http://www.eventid.net/display.asp?eventid=12015&source=MSExchangeTransportLog: ApplicationType: WarningEvent: 12015Agent Time: 2013-06-27 15:04:50ZEvent Time: 07:03:11 PM 27-Jun-2013 UTCSource: MSExchangeTransportCategory: TransportServiceUsername: N/AComputer: PITGSBS08.PITG.localDescription: An internal transport certificate expired. Thumbprint:F3ED5EF879EC68045A70A095C17F3D8701196192
Is there a way we can keep the same event alert set in place, but exclude certain event ids?
Within your event alert set you can specify events to ignore to by filtering the information and checking the "ignore" box. So I would do something like the screenshot below for the event set in question (you will probably want to populate the wildcard fields to make sure you're only ignoring those specific errors):
Hope that helps...
I failed to include a very very important piece of the puzzle. This is being set via a event log settings policy and there is no exclusions I can find in that setup. Unless I am overlooking something completely.
However, as a quick easy work around I could create an event log set that does exactly what I want and use it in policies as an alert, instead of the event log settings.
As far as I know, the Event Log Settings Policy is just for designating which event logs should be sent over to the Kaseya server. I think the label for 'Alert for machine when' is a bit misleading, as there is no way to set the action and thus it is only a "what should be collected" setting. (You can see this in the 'Machine Effective Policy Settings:')
I'm guessing you probably have an "All Alerts" Event Log Alert configured somewhere(?), which is converting those events into an alarm or ticket or email. If that is the case, you're on the right track and you would want to create the exclusionary Event Set, create a new Alert Policy using that Event Set, and assign it to whatever view is appropriate in Policy Management.