Avoiding to Archive the Unnecessary Events

Overview

You may want to stop saving certain events to EventsManager database (e.g., records that you do not need to retain) to save space on your drive and increase performance by decreasing the size of your database.

Solution

To exclude events from getting saved to the database, you can disable the processing rules that record these events or create a new rule to ignore events that match specific criteria.

1. From Events Browser, review events and decide which logs you don't want to store.
2. Right-click on one of the unnecessary events and select Find Rule.
   
   
   
   
3. Right-click on the matching rule and select Properties.
   
   
   
   
4. From the Conditions tab, check which sources, event types, etc. are included in the rule.
   
   
   
   
5. If you do not need to retain any of the events that match the conditions, disable the selected rule.
   If you do not want to disable log collection for all events matching the conditions, proceed to the next step to create a rule to ignore events based on specific criteria (e.g., Event ID, Event Source, etc.). You would need to note down the required event ID or another event identifier from Events Browser.
   
   
   
   
6. Create a rule from an existing event to classify events with specific IDs as Noise and Ignore.
   Alternatively, you can configure a view with advanced filtering conditions (e.g., to filter events for a specific source, user name, etc.) by following the steps below:
   
   1. Navigate to Configuration > Event Processing Rules.
   2. Click Create new rule.
   3. Enter a name for the new rule and click Next.
      
      
      
      
   4. Specify for which event types you want to apply this rule - select all options unless you need to store events of a certain type. Then click Next.
      
      
      
      
   5. Specify on which criteria the events will be filtered (ignored) - user name, object server, event source name, ID, etc. For more information on how to configure conditions, refer to the article Using Edit Query Restriction Dialog.
      
      
      
      
   6. Click Next.
   7. On the new screen, select the following options and click Next:
      
      • At any time of the day
      • Noise event
   8. Select the Ignore the event action and click Next.
      
      
      
      
   9. Click Finish to create the rule.
   10. After creating a new custom rule, make sure to increase the priority of the folder (containing the new rule) to override other existing processing rules - right-click on the folder and select Increase Priority (Ctrl+Up) until the folder is at the top of the list.
       
       

Testing

Once the rule is created, new events matching the configured criteria will not be displayed in Events Browser. 

To remove old events that you don't need, refer to the article Purging Old Events from GFI EventsManager Database.