|
I've also been experimenting with the NOT filtering and have seen some strange results.
I've mostly been dealing with using the NOT filter with Event ID's as it is easiest, and have a server with the follow string in the Event ID field:
6161,1111,5723,12061,5805,14,28
Now, on this server I see all these event regularly, and the following actually do get filtered out:
1111,12061,5805,5723
These don't get filtered:
28,14,6161
I've even tried using a regex in the match string for the ones that don't get filtered and i've had no luck. Example:
The 6161 error looks something like this -
System [error] [print #6161]: The document work orders owned by USER failed to print on printer PRINTER#1. Data type: NT EMF 1.008. Size of the spool file in bytes: 0. Number of bytes printed: 0. Total number of pages in the docu
And I've used a simple string of - failed to print - to try and catch it but that also does not filter this mesage out. I have had success filtering out other messages with much longer regex strings like:
secure session|failed to print|KRB_AP_ERR_MODIFIED|\\Device|ntmssvc|session setup|synchronization
This string does filter out a lot of the events but not all.
I've tried this with just one filter defined, or 2 filters defined. I don't use the All Logs scope ever but limit it to Application Logs and System logs individually.
Hope this helps. I'm more than willing to test out anything you might need to test as well.
-Patrick
_________________
-Patrick
|
Login
Register
FAQ
Members
