Hi There, this is my first attempt at a filter. I want to filter a few things but am testing it on something that I know updates quite quickly "an account was successfully logged on"
So, I did it as a Filter in the Policy editor under the Receiver. I used the Signature ID to try and find it. I enabled it but it does not seem to be working.
Does it look correct?
Do I have to Roll it to the receiver under the operations menu?
Having second thoughts. Should my Filter simply be adding this to Content Strings: An account was successfully logged on
I still want to collect it as a log to ELM but I don't want to see it in the ESM.
Don't think you can use signature ID, because you want the receiver to match and filter before the event is parsed. Try do a string match, search for it on the forum.