Creating new events processing rules

To create a new event processing rule:

1. Click Configuration tab > Event Processing Rules.

Creating a new rule

2. Right-click the rule-set where the new rule will be created and click Create new rule…

3. Specify the name and description (optional) for the new rule. Click Next.

Select the logs which the rule will be applied to

4. Select the event logs to which the rule applies.

5. (Optional) Click Add custom log… to insert an event log which you pre-configured. Click Next. For more information refer to Collecting custom events.

Configure the rule conditions

6. Click Add to select a field on which to base the query condition. For the selected field, specify the Field Operator and Field Value. Click OK.


Repeat this step until all the required fields are selected. For more information refer to Building query restrictions.


To filter events that refer to an administrator user (events having the security identifier SID that identifies a logon administrator session), ensure that if the event source is a domain member, the domain controller must also be added as an event source. For more information refer to Creating a new event source group.

Select event occurrence and importance

7. Specify the time when the rule is applicable. Example: anytime, during working hours or outside working hours. Working and non-working hours are based on the operational time parameters configured for your event sources. For more information refer to Configuring event source operational time.

8. Select the classification (critical, high, medium, low or noise) that will be assigned to events that satisfy the conditions in this rule. Click Next.

Select the triggered action

9. Specify which actions are triggered by this rule and click Next. Available actions are:

Action Description
Ignore the event Select this option so that GFI EventsManager will ignore the event and not trigger any actions or notifications.
Use the default classification actions

Select this option to use the pre-configured Default Classification ActionsThe activity that will be carried out as a result of events matching specific conditions. For example you can trigger actions whenever an event is classified as critical. Actions supported by GFI EventsManager include Email alerts, event archiving and execution of scripts..

Use the following actions profile

The ArchiveA collection of events stored in the SQL Server based database backed of GFI EventsManager. All profile is added by default. To create a new profile:

1. From the drop-down menu, select <New actions profile...>. This launches the New actions profile... dialog.

2. Specify a name for the new profile in the Action Profile Name text box.

3. Select the actions that you want the profile to perform. The following actions are available:

  • Archive the event
  • Send email alerts to
  • Send network message to
  • Send SMS message to
  • Run file
  • Send SNMP Message
  • Scan computer
  • Run checks on computer.


If Run checks on computer is selected, ensure that the computer has monitoring checks processing enabled. For more information refer to Configuring event source monitoring.

4. For each action you select, click Configure to set the parameters.

10. Click Apply and OK.


Assign the new rule(s) to your event sources. For information about how to collect event logs and process them using the specified events processing rules, refer to Collecting Event Logs.