Event Log

In the Event Log section you can specify the options for capturing the system Event Log entries.

NOTE: The Event Log options are applicable only for Windows computers. When auditing Linux and Mac computers, these options are ignored.

The Enable Event Log scan check box allows you to temporarily enable or disable these options.

  • Application Log - This log contains events logged by Windows applications.

  • Security Log - This log contains all the security-related events: logons and logoffs, file-access failures and successes, startup and shutdown events, etc.

  • System Log - This log contains events logged by the Windows system components.

  • DNS Server Log - This log contains events logged by Windows DNS service. Events are associated with resolving DNS names to or from Internet Protocol (IP) addresses. (Available only on computers configured as DNS servers.)

  • Directory Service Log - This log contains events logged by Windows directory service. (Available on Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 domain controllers.)

  • File Replication Service Log - This log contains events logged by Windows File Replication service during the replication process between domain controllers. (Available on Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 domain controllers.)

Under Event Types, select what types of events you want captured - Error, Warning, Information, Success audit, or Failure audit.

Under Scope, you can set the time period for capturing the Event Logs data by selecting it in the Capture Event Log information for the last... drop-down list.

If you want to capture only a limited number of most recent events in each of the selected logs, select the Capture only last... check box and enter the number of events to capture.

If you want to capture only events that satisfy certain criteria, select the Enable Filtering check box and create a number of filtering conditions.

Filtering conditions

You can perform the following actions in the Event Log section:

  • Click New to add a new filtering condition.

  • Select a condition and click Open to edit the selected condition.

  • Select a condition and click the Delete icon to remove the selected condition from the list.

  • Clear or select the Enable Filtering check box to temporarily disable or enable filtering conditions.

Adding and Editing filtering conditions

The Edit Log Event Filter window allows you to add or edit filtering conditions. Events can be filtered by the following parameters:

  • Source the name of the application logged the event;–

  • Category the classification of the event, as defined by the event source;–

  • Event ID the event ID, as defined by the event source;–

  • User the user name if the event is attributed to a specific user;–

  • Computer the name of the computer where the event occurred.–

Log Event Filter

You can assign multiple conditions to a single parameter. When you use the "is" operator for conditions of a single parameter, the resulting logical expression becomes connected with OR logic. AND logic is used to connect multiple conditions of a single parameter based on the "is not" operator. Conditions for multiple parameters are connected with AND logic.

If you want to temporarily disable filtering conditions, clear the Enable Filtering check box.