Custom Alerts, changes and mapping to Windows Event Log string values
So, we recently upgraded to latest version of ELA (11.13.2) and there are considerable changes to the Custom alerts. Things like you can't use a - (dash) in the alert name, custom alerts have a lot of pre-defined options to choose form drop down, etc.
My existing custom alert profiles seem to have transferred, i.e. dashes still in name and seem to work, but things like custom fields are not matching windows Event logs. For example, have a custom alert that checks for ANY event log entry with the string 'disk' in the Source property. However now, Source is under Baracuda device. There is not a 'Source' field under the Windows Event Log section and there are a bunch of pre-defined entries under the Windows Event Log section that I have no idea what they map to.
We found that we have a false positive, e.g. virtual disk service starts and stops... this triggers the alert... so unsure why if set to Barracuda Device - Source field, but yeah. So now, I want to add a conditional so that if the Source contains 'disk' and NOT 'Virtual Disk Service'. However, adding an AND conditional, choose Barracuda Device - Source, setting conditional to NOT CONTAINS 'virtual disk service' doesn't prevent the alert from triggering.
Additionally I would like to make it so it only triggers if the event log entry is of warning or critical level, not informational as the noted false positive is above... however, there isn't a severity or a 'Level' equivalent option I can discern in the Windows Event Log section.
The Help document doesn't have much information on Custom alerts. Is there a mapping listing or a good tutorial that shows how to do custom Windows Event Log Alert setup/filtering?
My existing custom alert profiles seem to have transferred, i.e. dashes still in name and seem to work, but things like custom fields are not matching windows Event logs. For example, have a custom alert that checks for ANY event log entry with the string 'disk' in the Source property. However now, Source is under Baracuda device. There is not a 'Source' field under the Windows Event Log section and there are a bunch of pre-defined entries under the Windows Event Log section that I have no idea what they map to.
We found that we have a false positive, e.g. virtual disk service starts and stops... this triggers the alert... so unsure why if set to Barracuda Device - Source field, but yeah. So now, I want to add a conditional so that if the Source contains 'disk' and NOT 'Virtual Disk Service'. However, adding an AND conditional, choose Barracuda Device - Source, setting conditional to NOT CONTAINS 'virtual disk service' doesn't prevent the alert from triggering.
Additionally I would like to make it so it only triggers if the event log entry is of warning or critical level, not informational as the noted false positive is above... however, there isn't a severity or a 'Level' equivalent option I can discern in the Windows Event Log section.
The Help document doesn't have much information on Custom alerts. Is there a mapping listing or a good tutorial that shows how to do custom Windows Event Log Alert setup/filtering?