Event ID Wildcards

In Event Log Queries, there’s no wildcards for Event IDs. Event IDs can be hard to find, vendors do not always publicly release every ID. If we were able to wildcard this field, it could significantly reduce the number of queries we need. We would need a secondary field to exclude IDs to help finetune any noise.

PS Fix Event Type, it does not work properly. For example, I have some IDs with a type of Error, but if an event matches the ID with Event Type of Information, it will still trigger. I submitted this probably a year ago.

@Jimmie Does leaving the Event ID blank not essentially wildcard that field?

I second getting Event type Fixed. I have the following setup and regardless, I get informational alerts.

Can we also get clarification on the difference between Severity (Critical, Error, Warning) and Event Type (Error, Warning, Information, Success Audit, Failure Audit) and how they relate to the Event Viewer level (Critical, Warning, Verbose, Error, Information)?

According to my support interaction, there were no wildcards on the Event ID field. It was added as a feature request in August of 2020 by Karla. I haven’t seen any news of any changes since. I cannot recall if at that time it could be left blank or not. If you are leaving the Event ID blank and it’s firing off alerts, then I guess blanking it is now a wildcard, but will be noisy without exclusions and Event Type working correctly. Severity is a newer field from Microsoft, but I still prefer Event Type and is more widely recognized.

1 Like

Once again, you have proven most helpful!

I recently opened a ticket for this as well. They did acknowledge that this is not working as intended and submitted issue to development.

I submitted mine in Oct 2020 about this issue. November 3rd 2020, it was acknowledged it was a known issue they are working on. Event monitoring is a core of what MSPs do and it has been broken for a long time :(. This shouldn’t be that hard to fix.

1 Like