Filter Conditions

Filter conditions specify when a rule should run. If the filter condition evaluates to true, the actions in that rule are executed.

In practice, filters let you decide which Windows events should be forwarded, which should be routed differently, and which should be ignored.

How to use them well

• Start with broad filters so the event path is easy to verify.

• Narrow down with event source, event ID, severity, or log name.

• Add message-content filters only after the basic event path works.

• Remember that rule order matters just as much as the filters themselves.

Detailed filter references

• Global Conditions
• Date Conditions
• Operators
• Filters
  • REGEX Compare Operation

Basic filters

• General
• Date/Time
• InformationUnit Type

Network-related filters

• Syslog

Windows and file monitoring filters

• Event Log Monitor
• Event Log Monitor V2
• File Monitor

Custom properties

• Custom Property
• Extended Number Property
• Extended IP Property
• File Exists
• Store Filter Results