Better Noise Filtering for Windows Event Logs in v5.2

Version 5.2 of LogMeister and EventMeister builds on the existing “custom log view” facility by adding ready made noise suppression scripts. Let’s take a look at the custom log view interface to see how to use this new feature.

You can access the custom view screen either from the event log feed wizard (for new feeds you’re creating) or from the Event Log page of an existing feed’s properties:

The custom view screen is show below. As you can see it has two tabs, “Include” and “Exclude”:

The “Include” tab lets you specify which event logs – and which basic event types – contribute to the feed. The single feed can receive events from every single event log on the remote machine, just one event log, or any number in between. Combining events from multiple logs into a single feed makes for more efficient use of network bandwidth, but if you prefer to have a feed dedicated to just one event log (e.g. security) you can of course do so.

The “Exclude” tab is where the new noise-suppression features live:

At its heart is an editable script (written in the Event log’s XML-based query language) that tells the remote machine to suppress events that fit a certain pattern. The great thing is you don’t need to be a wiz at writing the queries, because a handful of queries or “preset” are provided to get you started. These include:

  • A script for suppressing 4688 events for common system processes
  • A script for suppressing events related to Kerberos ticket renewal
  • Logon failures that are caused purely by a time sync mismatch

You can use these preset scriptlets as-is, or add them to the box and tweak them to match your exact requirements.  However you use them, their key advantage is that they are applied by the remote computer prior to transmitting events across the network to LogMeister / EventMeister. The result? Better use of network bandwidth and a much clearer view of what’s happening on the remote machine with far fewer “noise” events to wade through.

You may also notice the new “Templates” button in the bottom left of the screen. This allows to save the settings on both the Include and Exclude tabs as a template which you can re-use when creating new feeds, or as a convenient way of bringing the same settings to your other existing feeds.

One more thing – if there are noise events you’d like to filter out but you’re not sure how to craft that into a script, just head over to our online help desk and submit a ticket; we’ll be happy to help!