To modify an event source in the current filter policy
Click the desired event source in the Windows Filter Policy window.
Click Modify Entry on the Edit menu. The Modify Event Source dialog box appears. The name of the event source also appears in the title of the window.
Set the Options settings to specify the types of Windows events to forward to Operations Sentinel.
The options are
None
Send no events of the event type.
All
Send all events of the event type.
Include
Send only the events of the event type specified in the corresponding Include/Exclude field.
Exclude Send all events of the event type except those specified in the corresponding Include/Exclude field.
If you select the Include or Exclude option, you can enter data in the corresponding Include/Exclude Event IDs field. An event ID is a Windows-specific number that identifies an event. You can enter single event IDs or ranges of event IDs. For example, you could enter: 1,4–7,9,11,100–299,1000–* (the asterisk represents the highest value of an event ID).
Note: The Windows Agent combines the event source and its event-id for each event to form the alert-id in alert event reports that it sends to Operations Sentinel. The alert-id is displayed in the Alerts windows of Operations Sentinel Console and controls the execution of actions in the active alert policy. As you monitor Windows events, you will become familiar with their associated IDs. A detailed listing of the event-IDs is not available in Windows documentation.
Click OK to save the event source changes.