So question, we have a profile in our base ntevl probe that matches on the following:
[PROFILES]
[MSExchange]
source = /(?i)MSExchange.*/
event_id = 1003,1012,1112,..etc+..
This captures many 'bad' MSExchange* related events from all sources that start with MSExchange. But it also captures one from the source:
MSExchangeApplicationLogic with Event ID 1003 which is not a bad event. It's a 'success' event ID and we don't want to alert on it?
Instead of creating 25+ source exactly specific Event 1003 profiles, would adding this one source specific profile to the Exclude tab override and not cause the probe to alarm to get triggered from the Profiles tab?
So if I added to the EXCLUDE tab:
[EXCLUDE]
[MSExchangeAppLogic1003Exclude]
source = /(?i)MSExchangeApplicationLogic.*/
event_id =
1003would this then NOT alarm even though it would match the condition in the profile tab?
#ntevl #exclude #override
------------------------------
Daniel Blanco
Enterprise Tools Architect
Alphaserve Technologies
------------------------------