Once you have installed the Windows Agent on the Windows systems that you want to monitor, the Windows Agent sends all error and warning Windows events to the Operations Sentinel server, where they are displayed to the operator as alerts. Instead, you can use filter policies to focus the operator’s attention to specific types of Windows events.
Start by using the DEFAULT filter policy. This causes all error and warning Windows events to be sent to the Operations Sentinel server. Then analyze events over a period of days to determine how you want to filter them. Some questions to ask are
What types of events are most critical to monitor and respond to?
What event sources should the operator be most concerned with?
Are any of the Windows systems dedicated to particular functions? If so, is it more important to receive specific types of events from these systems than it would be from the other Windows systems?
The answers to these questions can help you to assess the ways in which you can filter Windows events and define filter policies.
Example of Event Filtering
You can filter events based on their sources. Examples of event sources are device drivers connected to a Windows system, and applications running on a Windows system. If you want to monitor events based on their sources, you can define a filter policy that includes events from some sources and excludes others. Depending on your answers to the questions asked above, you might identify a printer attached to a Windows system that has frequent paper jams and want a critical alert to be raised whenever that occurs.