Views

<< Click to Display Table of Contents >>

Navigation:  Technical Guide > Viewing and Notifying >

Views

Administrators can quickly diagnose problems by using Views to organize large amounts of event log information. Views allow you to group events that match include and/or exclude filters with the options to notify or report based on that View.  Open an View document to see new events as they occur plus events that may be present from past database queries (view refreshes). The first time an Event View is opened, a database query will be run if the Event View is empty. When an Event View is refreshed or an Event View's properties are modified, a database query is run and events from the database, as well as those streaming in, will be displayed.

Three types of views are present in the ELM Management console:

 Event Views: These are standard events views.  All standard event logs fields are available such as Type, Computer, Source, event ID, Log, Task Category, etc.

 Security Views: Security Views differ from Event Views slightly by design in that only security-related events (audit success and audit failure events) are displayed in the view.  The Security View also uses a security-centric layout to display critical security information from the events. This view displays values from the Event Message field (e.g., Logon Type, Logon ID, etc.) as individual columns for easy sorting. This allows you to customize Views with specific information that is normally buried within the security event log record.

 Correlation Views: ELM Correlation Views watch for specific pairs of event.  The most basic configuration requires an Include Filter, a Correlation Filter, and a timer setting.  When an event matches the Include Filter, it is designated as the "start event" and the timer begins counting down.  If an event matching the Correlation Filter is found before the timer expires, then it is designated as the "end event" and a correlation pair has been found.  

Records in Event Views are generically referred to as "Events."  Events originate from several sources:

Event log entries collected from Windows-based systems.

Syslog messages received from Syslog clients.

SNMP Traps received from SNMP-capable systems and devices.

ELM Server generated Events.

An Event View has two display modes:

Detail View style (default) which shows each event on a single line in the Event View.

Summary View style displays a summary roll-up (i.e., count of events).  This Event View display mode is very useful to determine the busiest events across multiple systems by sorting on the Count column heading.

The Display mode can be changed by using the Style option located in the Display area of the Ribbon toolbar.

See Also:

 Create a View

 Edit a View