Overview
You may need to create a custom processing rule to apply specific actions (e.g., ignore, archive, send alerts, etc.) to all events with the same Event ID.
Solution
- From Events Browser, locate the required event log, right-click on it and select Create rule from event.
- Enter a name and description for the rule.
- Specify when this rule should be applied:
- At any time of the day
- During Normal Operational Time
- Outside the Normal Operational Time
For more information about operational time, refer to the article Configuring Event Source Operational Time.
- Select the importance (classification) that will be assigned to the matching events:
- Critical
- High
- Medium
- Low
- Noise
- From the Event Logs tab, select the logs for which this rule will apply.
- From the Conditions tab, you can configure additional restrictions for the rule, which is optional - the Event ID of the selected log event is already added as a condition.
- From the Actions tab, select the action you want to apply to the events:
- Ignore the event.
- Use the default classification actions (which are applied to events depending on their importance).
Note: Default classification actions can be reviewed and modified under Configuration > Options > Default classification actions. - Select a custom action profile.
You can add a new one by selecting the <New actions profile> option.
Then, configure the actions that will be applied to the events.
- From the Threshold tab, specify the number of times an event must be detected prior to triggering alerts and remedial actions. This helps to reduce false positive alerts caused by repeated events in your event logs.
- Click OK to save the rule.
- If you want your custom rule to override existing processing rules, make sure to increase its priority by right-clicking on the folder and selecting Increase Priority or pressing Ctrl+Up until the folder will be at the top of the list.