Services Administration - Configure
 

Adding  a New Policy / Modifying an Existing Policy

Adding a New Policy

This page appears when the ADD NEW POLICY button in the LIST OF POLICIES page is clicked, and allows administrators to create a new filter policy. The filter policy for the AppEvtLogTest, AppEvtTest, SystemEvtTest, and SystemEvtLogTest typically comprise of a specific set of event sources, event IDs, and event descriptions to be monitored. This specification is expressed by the eG Enterprise system in the following format:

{Policyname}:{event_sources_to_be_included}:{event_sources_to_be_excluded}:{event_IDs_to_be_included}:{event_IDs_to_be_excluded}:{event_descriptions_to_be_included}:{event_descriptions_to_be_excluded}

On the other hand, the filter policy for the SecurityLogTest comprises of a specific set of event sources, event ids, and users to be monitored. This specification is expressed by the eG Enterprise system in the following format:

{Policyname}:{event_sources_to_be_included}:{event_sources_to_be_excluded}:{event_IDs_to_be_included}:{event_IDs_to_be_excluded}:{users_to_be_included}:{users_to_be_excluded}

To create a new policy, do the following:

  • Provide a unique name against POLICY NAME.

  • To include one/more event sources for monitoring, select Included from the EVENT SOURCES drop-down list, and then specify a comma-separated list of event sources in the adjacent text box. If you require more space to specify the event sources, click on the VIEW button next to the text box. This will invoke an EVENT SOURCES INCLUDED text area, wherein the specification can be provided more clearly and comfortably.

  • To exclude specific event sources from monitoring, select Excluded from the EVENT SOURCES drop-down list, and then specify a comma-separated list of event sources to be excluded in the adjacent text box. If you require more space to specify the event sources, click on the VIEW button next to the text box. This will invoke an EVENT SOURCES EXCLUDED text area, wherein the specification can be provided more clearly and comfortably.

    • Note:

    At any given point in time, you can choose to either Include or Exclude event sources, but you cannot do both. If you have chosen to include event sources, then the eG Enterprise system automatically assumes that no event sources need be excluded. Accordingly, the {event_sources_to_be_excluded} section of the filter format mentioned above, will assume the value none. Similarly, if you have chosen to exclude specific event sources from monitoring, then the {event_sources_to_be_included} section of the format above will automatically take the value all, indicating that all event sources except the ones explicitly excluded, will be included for monitoring.

  • In the same way, select Included from the EVENT IDS list and then, provide a comma-separated list of event IDs to be monitored. For more space, click on the VIEW button next to the text box, so that an EVENT IDS INCLUDED text area appears.

  • If you, on the other hand, want to exclude specific event IDs from monitoring, then first select Excluded from the EVENT IDS list box, and then provide a comma-separated list of event IDs to be excluded. For more space, click on the VIEW button next to the text box, so that an EVENT IDS EXCLUDED text area appears.

    • Note:

    At any given point in time, you can choose to either Include or Exclude event IDs, but you cannot do both. If you have chosen to include event IDs, then the eG Enterprise system automatically assumes that no event IDs need be excluded. Accordingly, the {event_IDs_to_be_excluded} section of the filter format mentioned above, will assume the value none. Similarly, if you have chosen to exclude specific event IDs from monitoring, then the {event_IDs_to_be_included} section of the format above will automatically take the value all, indicating that all event IDs except the ones explicitly excluded, will be included for monitoring.

  • Likewise, select Included from the EVENT DESCRIPTIONS list and then, provide a comma-separated list of event descriptions to be monitored. For more space, click on the VIEW button next to the text box, so that an EVENT DESCRIPTIONS INCLUDED text area appears.

  • For excluding specific event descriptions from monitoring, first select Excluded from the EVENT DESCRIPTIONS list box, and then provide a comma-separated list of event descriptions to be excluded. For more space, click on the VIEW button next to the text box, so that an EVENT DESCRIPTIONS EXCLUDED text area appears.

  • In case of the SecurityLog test however, you will not be required to include/exclude EVENT DESCRIPTIONS. Instead, an EVENT USERS field will appear, using which you need to configure users who need to be included/excluded from monitoring.

    Note:

    At any given point in time, you can choose to either Include or Exclude event descriptions/users, but you cannot do both. If you have chosen to include event descriptions/users, then the eG Enterprise system automatically assumes that no event descriptions/users need be excluded. Accordingly, the {event_descriptions_to_be_excluded} section or the {users_to_be_excluded} section (as the case may be) of the filter formats mentioned above, will assume the value none. Similarly, if you have chosen to exclude specific event descriptions/users from monitoring, then the {event_descriptions_to_be_included} section or the {users_to_be_included} section (as the case may be) of the formats above will automatically take the value all. This indicates that all event descriptions/users except the ones explicitly excluded, will be included for monitoring.

  • Finally, click the UPDATE button.

Modifying an Existing Filter Policy

This page also appears when the MODIFY button against an existing policy in the LIST OF POLICIES page is clicked. In such a case, you can modify the details of that policy using this page. To achieve this, do the following:

  • The name of the policy is displayed in the POLICY NAME box. You cannot change this.

  • To include one/more event sources for monitoring, select Included from the EVENT SOURCES drop-down list, and then specify a comma-separated list of event sources in the adjacent text box. If you require more space to specify the event sources, click on the VIEW button next to the text box. This will invoke an EVENT SOURCES INCLUDED text area, wherein the specification can be provided more clearly and comfortably.

  • To exclude specific event sources from monitoring, select Excluded from the EVENT SOURCES drop-down list, and then specify a comma-separated list of event sources to be excluded in the adjacent text box. If you require more space to specify the event sources, click on the VIEW button next to the text box. This will invoke an EVENT SOURCES EXCLUDED text area, wherein the specification can be provided more clearly and comfortably.

    • Note:

    At any given point in time, you can choose to either Include or Exclude event sources, but you cannot do both. If you have chosen to include event sources, then the eG Enterprise system automatically assumes that no event sources need be excluded. Accordingly, the {event_sources_to_be_excluded} section of the filter format mentioned above, will assume the value none. Similarly, if you have chosen to exclude specific event sources from monitoring, then the {event_sources_to_be_included} section of the format above will automatically take the value all, indicating that all event sources except the ones explicitly excluded, will be included for monitoring.

  • In the same way, select Included from the EVENT IDS list and then, provide a comma-separated list of event IDs to be monitored. For more space, click on the VIEW button next to the text box, so that an EVENT IDS INCLUDED text area appears.

  • If you, on the other hand, want to exclude specific event IDs from monitoring, then first select Excluded from the EVENT IDS list box, and then provide a comma-separated list of event IDs to be excluded. For more space, click on the VIEW button next to the text box, so that an EVENT IDS EXCLUDED text area appears.

    • Note:

    At any given point in time, you can choose to either Include or Exclude event IDs, but you cannot do both. If you have chosen to include event IDs, then the eG Enterprise system automatically assumes that no event IDs need be excluded. Accordingly, the {event_IDs_to_be_excluded} section of the filter format mentioned above, will assume the value none. Similarly, if you have chosen to exclude specific event IDs from monitoring, then the {event_IDs_to_be_included} section of the format above will automatically take the value all, indicating that all event IDs except the ones explicitly excluded, will be included for monitoring.

  • Likewise, select Included from the EVENT DESCRIPTIONS list and then, provide a comma-separated list of event descriptions to be monitored. For more space, click on the VIEW button next to the text box, so that an EVENT DESCRIPTIONS INCLUDED text area appears.

  • For excluding specific event descriptions from monitoring, first select Excluded from the EVENT DESCRIPTIONS list box, and then provide a comma-separated list of event descriptions to be excluded. For more space, click on the VIEW button next to the text box, so that an EVENT DESCRIPTIONS EXCLUDED text area appears.

  • In case of the SecurityLog test however, you will not be required to include/exclude EVENT DESCRIPTIONS. Instead, an EVENT USERS field will appear, using which you need to configure users who need to be included/excluded from monitoring.

    Note:

    At any given point in time, you can choose to either Include or Exclude event descriptions/users, but you cannot do both. If you have chosen to include event descriptions/users, then the eG Enterprise system automatically assumes that no event descriptions/users need be excluded. Accordingly, the {event_descriptions_to_be_excluded} section or the {users_to_be_excluded} section (as the case may be) of the filter formats mentioned above, will assume the value none. Similarly, if you have chosen to exclude specific event descriptions/users from monitoring, then the {event_descriptions_to_be_included} section or the {users_to_be_included} section (as the case may be) of the formats above will automatically take the value all. This indicates that all event descriptions/users except the ones explicitly excluded, will be included for monitoring.

  • Finally, click the UPDATE button.