ELM Database Retention Policy

Event Data

Event log records produce a high volume of data. It is recommended that you configure the Retention Policy to periodically archive and/or delete dated or unneeded records.  In order to archive data, an archive database must be setup on the Connections tab.

Retention

The Retention tab controls the amount of time that events are kept in the primary ELM database. Records older than the age specified in this window are deleted at the Scheduled Interval and Scheduled Hours selected in the Schedule dialogs.

Retain - Enter the amount of time to keep data in the ELM Primary database.

Archive - If Archive is enabled (checked), records will be copied to the Archive Database before deletion from the Primary database. The Archive checkbox is disabled (grayed out) if the archive database has not been configured.

Event Filter Criteria

The following fields are available for filtering purposes:

•Agent Category is

•Computer Name is

•Log Name is

•Username is

•Event Source is

•Event ID is

•Category is

•Message contains

This dialog box has a dynamic menu behavior. The ellipsis buttons next to the Agent Category is, Computer Name is, Log Name is, and Event Source is fields browse and display the computer names, event log names and event sources. If the Computer Name is field is left empty, the list of event Logs and Sources is generated based on the event sources registered on the ELM Console computer (e.g., the local computer). If you enter a valid, resolvable name in the Computer Name is field and then click the ellipsis for the Log Name is or Event Source is fields, the list of event Logs and Sources from that system will be displayed. If the log or event source from which you want to collect data does not appear on the list, type it in the appropriate field. For example, if you are not running DNS on your ELM Server or Console, but want to collect events from the DNS log only, type DNS in the Log Name is field.

If a field is blank, it will match every value in the field. For example, if the Computer Name is field is blank, the Filter will apply to all monitored computers. If all Event Types are unchecked when the Event Filter is saved, all of the Event Types will be checked. This is by design.

Leading and trailing wildcards ( * ) and character position wildcards ( ? ) are supported, as are the Boolean operators Or ( | ), And ( & ), and Not ( ! ). However regular expressions are not supported. You may use these wildcards to specify the criteria to be applied. For example, to select messages from SQL Server you may specify *SQL* as the event source to select any Source name containing the letters SQL . To match SQL messages from servers ALPHA, BRAVO, or CHARLIE you would enter ALPHA|BRAVO|CHARLIE in the Computer Name is field.

Important
Leave no white space adjacent to the operators. In addition, understand that if more than one filter is used, events passing any filter will be archived. Events not included in any filter will be permanently deleted.

Note
If you enter the name of an untrusted system in the Computer Name is field and then use the ellipsis buttons for Log or Event Source, the menus will not be displayed. This is because authentication fails. To work around this problem, first make an IPC$ connection to the target system using alternate credentials. For example, if the untrusted system's name is SERVERA , you could use:
 
 NET USE \\SERVERA\IPC$ /user:SERVERA\administrator *
 
You will be prompted for the password for the account you specify. The dynamic menu behavior will work when the IPC$ connection has been established.