The Windows Event Log monitor uses WMI authentication to listen for Windows events on the devices to which it is assigned. To use multiple Windows Event Log monitors, assign a unique monitor to each device. When assigning a Windows Event Log monitor, ensure the device has credentials assigned to it first.

Provide a unique name and description for the monitor, then configure the following:

  • Conditions. Click () to launch the WinEvent Condition dialog to create a condition to match, then repeat to complete a list of conditions, if needed. Only log entries matching these expressions are converted to events. Conditions are processed sequentially from top to bottom. As each condition is evaluated, its results are applied to the next condition until all conditions are evaluated.
    Warning: Any combination using both AND and OR operators is not supported.
  • Payload. Click () to launch the Rules Expression Editor to create an expression, test it, and compare it to potential payloads. Click () to add or edit an expression or () to remove an expression from the box.
Important: If you have multiple payload "match on" expressions, they are linked by "OR" logic—not "AND" logic. If you have two expressions, one set to "AB" and the other to "BA", it matches against a trap containing any of the following: "AB" or "BA" or "ABBA".