Filter
Top Products
If a file truncates while the adapter is active, the adapter
automatically resets its internal pointer to the beginning of the file.
If during the polling interval the file is overwritten, removed, or
recreated with more lines than the previous poll, only the number
of lines greater than the previous line count is read. For example,
the file has one line. After the poll interval elapses, the file is
overwritten with two lines. Only the second line is read on the
next polling.
NumEventsToCatchUp
Specifies which event in the Windows event logs that the adapter
starts with. This option provides some flexibility if the source being
monitored is new or the adapter has been stopped for an extended
period of time. Valid values are as follows:
0 Start with the next event in the logs.
–1 Start with the oldest event in the logs.
nnrepresents any number other than zero (0)or–1. Start
with the nth event from the most current event in the logs;
that is, start n events back from the most current event in
the logs. If n is greater than the number of events that are
available, all the events that are available are processed.
PollInterval Specifies the frequency, in seconds, to poll each log file listed in the
LogSources keyword for new messages. The default value is 120
seconds.
PreFilter Specifies how events in a Windows event log are filtered before
adapter processing. PreFilter statements are used by PreFilterMode
when determining which events are sent from an event log to the
adapter. An event matches a PreFilter statement when each
attribute=value specification in the PreFilter statement matches an
event in the event log. A PreFilter statement must contain at least
the log specification and can contain up to three additional
specifications, which are all optional: event ID, event type, and
event source. The order of the attributes in the statement does not
matter.
The basic format of the PreFilter statement is as follows:
PreFilter:Log=log_name;EventId=value; EventType=value;Source=value;
You can specify multiple values for each attribute by separating
each with a comma.
Each PreFilter statement must be on a single line.
You can also use Tcl regular expressions in a PreFilter statement.
The format of a regular expression is re:’value_fragment’.
Note: The IBM Tivoli Enterprise Console product uses one
exception to the Tcl regular expression syntax. The backslash
character (\) in the IBM Tivoli Enterprise Console product
means the literal character that follows is the character to
filter for, not some special character such as a tab. For
example, \t means the tab character in Tcl but means t in
the IBM Tivoli Enterprise Console product.
Chapter 10. Windows Event Log Adapter 113