Reducing notification noise in Windows event logs
The SolarWinds N-central Windows Event Log service enables you to filter events so that only relevant notifications appear. In any network with Windows devices, hundred or thousands of events can occur during the day. As you add additional instances of the Windows Event Log service, the number of notifications will increase.
Most events are not serious issues and do not require attention. It is essential to pare down event log notifications so that important alerts do not get lost in a stream of irrelevant information. By reducing the events that generate notifications, you can remove the noise and focus on the alerts that most require your attention.
Events that do not result in alerts are still recorded and can be viewed in the customer level Windows Event Log.
Filtering by Event IDs
Once you start receiving notifications, you should review with your team to determine which alerts are really needed and which are merely informative, and adjust the settings for each instance of the service accordingly.
All the information needed to filter your alerts is contained in the email notifications. Using this information, you can
- include or exclude events by ID and by Source,
- filter by Event Log Name and Event Type, and
- set up regular expression filters for the Event Description.
Event IDs are only unique within a source. For example, 2501 represents an Information event in DNS and an Error in MSExchangeADAccess. If you receive this notification, you can decide that although it is an error, it is not really important enough to warrant an email alert.
The best way to exclude an event is to specifically exclude its ID. In this case would mean entering
2501 in the Event ID Exclude List box on this instance of the service. You can enter IDs separated by commas, or enter a range.
The Windows event log report
You can review the Windows Event report as an alternative to using the notification emails to find the IDs of frequent events. This shows which event IDs are appearing most often. You can decide which are noise and which require attention.
Another way to reduce the number of notifications is to set the Scan Interval for a service to a longer period. Rather than scanning the log every 30 minutes SolarWinds N-central scans it every twelve hours (1440) or once a day (28800). This is useful for events that occur very frequently but do not need to be responded to immediately.
The Windows event log management template
Windows Event Log services are used in many default service templates. To avoid having to edit each of these every time you customize the details for a service, SolarWinds N-central provides a service template called the Window Event Log Management Template. This contains all the default Windows Event Log services to make any changes. The Action for each service is Modify. This will update the service on devices where the service is already present but not add it to others.
If you intend to use the Windows Event Log Management Template, create a rule to apply the template whenever the settings for the services are changed.
When you make changes to a service in this template, remember to select the associated devices to which it should be applied.