Filtering events

Several different categories of events can be monitored by the event monitor. Monitoring of each category can be enabled and disabled through the Event Monitor tab in the WiTS preferences dialog shown below. When WiTS is installed, only a subset of the categories are enabled by default. Only the events matching the filters are displayed in the event monitor and written to the log file.

• The System resources category enables monitoring of system resources and will log an event when system resources drop below a certain limit. The system resources being monitored include per process and system wide thread and handle counts. The thresholds at which system resources are considered to be low can be set through the Event Monitor page in the preferences dialog.
• The Disk space category enables monitoring of low disk space conditions on the system. The thresholds at which disk space is considered to be low can be set through the Event Monitor page in the preferences dialog.
• The Process starts and exits category includes events related to starting of new processes. The process id, the program name and the parent process are logged.
• The Network connections category includes all new TCP connections and creation of new TCP and UDP sockets. Termination of connections is not logged to reduce amount of logged messages.
• The Driver loads and unloads category enables logging of events pertaining to dynamic loading and unloading of drivers into the operating system kernel.
• The Windows services category enables monitoring of starting and stopping of Windows services.
• The Network shares category logs connections to local and remote network shares. Note this capability is not available on Windows 2000.
• The Logon sessions category enables monitoring of the creation and deletion of new logon sessions including new users logging on and remote sessions.
• The Windows event log category enables monitoring of the Windows event log. Any events logged there are also shown in the WiTS event log. Note that sometimes can result in duplicate events - one when WiTS detects an event itself and a second when the application itself writes an event to the Windows event log. An example of this is startup or shutdown of a Windows service.

The Thresholds frame controls the thresholds for various system resources. When any of these thresholds is crossed, an appropriate event is logged. These thresholds should be tuned as appropriate depending on system resources and load.