Datto RMM: Event log monitor: Filtering event descriptions



This article describes how to use filter Windows event log descriptions from alerts using the Event Log Monitor.


  • Datto RMM


When using an Event Log Monitor, you can filter the alert criteria based on the event description or message body by using the (-) character in the Event Descriptions field. This step ensures that the Event Log Monitor only triggers and sends alerts based on criteria you find relevant.

Figure 1: Event Descriptions (click to enlarge)

The example in Figure 1 displays two errors in the Windows event log with the Event ID 16387. You would want to exclude any event that contains the Error Code 0x80070002 in its description.

Figure 2: Two example errors (click to enlarge)

To accomplish this, you can enter the (-) character and the Error Code in the Event Descriptions field:

-"Error Code: 0x8007000"

You can also enter only the value of the Error Code:


Another example has a Windows installer event with an Event ID of 1040. You would want to filter Datto RMM installation events.

Figure 3: Event 1040 (click to enlarge)

You can use the wildcard character (%) to filter all events that trigger in a directory path:


You can also add multiple filters by separating each string with a space:

-"0x80070002" -"0x80041326" -"%0x80070002%"

Was this article helpful?

0 out of 0 found this helpful

You must sign in before voting on this article.

Want to talk about it? Have a feature request?

Head on over to our Datto Community Forum or the Datto Community Online.

For more Business Management resources, see the Datto RMM Online Help and the Autotask PSA Online Help .

Still have questions? Get live help.

Datto Homepage