Hi, I'm trying to build a custom Rule based on a 'standard' windows rule for Service Entered into an Unpredictable State. I want to basically replicate this rule to maintain its functionality but add in additional logic into the expression that will IGNORE two specific services (which I think are stored as Param 1).
I thought it would be easy enough to add in additional and/or groups to do this but the expression building window seems not to follow the logic Im trying to build - was wondering if anyone could assist.
The logic of the default rule is an and group for eventSource equals Serviec Control Manager with a nested Or Group for EventID equal 7037 OR eventID equals 7030. The expanded formula for this gives:
( ( EventSourceName Equals Service Control Manager ) AND ( ( Event ID Equals 7037 ) OR ( Event ID Equals 7030 ) ) )
I want to add to the expression the same logic but need another OR group nested to exclude the 2 specific sources I want to ignore from the rule, ie Param 1 Not Equals Shavlik OR Param 1 Not Equals PsShutdown.
Can anyone provide the correct expanded formual to use - not matter what I tried I wasnt getting expected results which is obviously me not building the expression correctly or understanding the nesting properly! NB Also if have to use Param 1 Do not Contain Shavlik* (or whatever) thats fine!
Any help much appreciated...