I'm having an odd amount of trouble deducing the proper syntax to "filter=in" two eventTypes, warning and error.
The line I am using is as follows:
CheckEventLog -a truncate=1023 MaxWarn=1 MaxCrit=1 file='DFS Replication' filter=in "filter.eventSource='DFS Replication'" "filter.eventSource='DFSR'" "filter.eventType==error" "filter.eventType==warning" "filter+generated=\<5m" descriptions unique syntax='%message%'
The "filter=in" means "include" all of the filters listed in the condition; versus "filter=out" meaning exclude all the filters listed in the condition.
The "filter*X" syntax meaning is:
- '.' optional (like logical OR)
- '+' required (like logical AND)
- '-' not required (like logical OR NOT)
This information is gathered from the documentation.
The odd thing is that, to me the above syntax means: require the filters listed to be present ('filter=in'), from event source 'DFS Replication' OR 'DFSR', include all warning OR error type events that occurred less than 5 minutes ago.
However, the above syntax returns all eventTypes (including error, warning, information) [from the listed event sources (although I haven't proved that they are explicitly the 'event sources' and not all event sources in the Event Log ('file=')), that occurred less than 5 minutes ago].
Is anyone familiar with how to include two different eventType filters in a CheckEventLog command in NSClient++ v0.3.9?