Extracting alerts from the database

I have searched both the forum and the web for any way that I could extract alerts from the Glasswire database
I have had over 500 “Internet access changed” alerts since last August and have not been successful finding the cause and have been keeping an Excel spreadsheet of those alerts. It would be nice to have a Glasswire offshoot that did not connect to the Internet that could edit the database (archived) and archive portions of the database (or if Glasswire could be deactivated and turned into a database editor and then be activated again).
I’m certain there are all sorts of issues with such a tool, but the alerts are one of the data that I have studied to try to nail this problem and the quantity of data is overwhelming.
It would equivalently be helpful if there were a description about how each alert is raised (Win 10 event,…?)

It would also be nice if there were a way to delete all of the “While you were away…” alerts where 0 apps accessed the network; they take up about half of the alert portion of the database. When I noticed how many such alerts were posted I turned off the alert even though the information about what WAS running while I was away would be nice to have.

I did read the thread in the Glasswire Help category that kind of addressed this issue, but I thought maybe here might be a better place to put it.

@MikeLainhart

Thank you for your feedback on extracting our alerts from GlassWire.

We do have a new setting that might help you. Go to our top left menu and choose “settings” then look for “Send GlassWire Alerts to Windows Event Log”. If you check this our alerts are also sent to the Windows Event Log, and I believe the Windows Event Log has many different options for extraction.

Unfortunately though I don’t believe this will send your old alerts there, only new ones going forward.

I retired in 2003 from a real fun career developing software and occasionally managing a small network - it is still fun to try understanding what is going on in my personal little computer world.
That is kind off an excuse for why I have updated Glasswire with less than careful understanding of what is new in the update.
AND, posting the Glasswire alerts to the Event log will be helpful - in the future. I am looking forward to the time when I have my frequent Internet interruptions alleviated so that I can “clear” the history which will be an adequate way of getting rid of the alerts that were of little use to me.
BUT, I’m a little frightened to hit the “Clear” control because I don’t know if I will have the option of archiving the current database. I do see that there are some archived backup databases (not sure where they came from - I didn’t save them) and I have seen some postings about how to open glasswire with those databases - I would feel more comfortable if there was a “Save Database As” and “Load Archived Database” option available - I see there are some old postings requesting that but nothing that specifically says that such an options are not possible. Probably a bad idea to have Glasswire “active” when examining an archived database and it looks like “Deactivate”/“Activate” Glasswire may be an economic option not an operational option.

(By the way: I did turn on the alerts to event logs mostly to see where they were being logged and did see a few “First Network activity” alerts posted but I did not see the alert for Things Monitor turned on. Should ALL alerts be sent to the event logs? If not which ones are not?)

Thanks, Mike

@MikeLainhart

I believe all alerts should be sent to the event logs. If you’re seeing some don’t please be 100% sure they happened before you switched this setting on and I’ll ask our team to try to reproduce this. Sorry for the issue.

Here is how to back up different parts of GlassWire, just in case.
https://www.glasswire.com/userguide/#Backup_Settings

Thanks for your feedback! We’re looking at a more simple backup option.

I don’t know if the settings changes count as “alerts”; they do show up in the alerts tab:

Glasswire alerts to event log1305×668 135 KB

By the way, the restore instructions for the database if the location has been changed, step 2 and 3 I suspect should refer to the locations on the D: drive.

For the alerts we discussed this with our team. We purposely don’t show alerts that show changes to settings because we thought admins would find these alerts annoying, since they just show alerts settings changes.

We’ll continue to discuss if we should make changes in the future, thanks for your feedback.

I’ll share the database instructions with our webmaster, thanks!

Hmm? Seems to me that posting a settings change is an easy way to avoid questions about about “what happened that I never saw that alert before” or thinking that alerts mean that a problem has been fixed when the alert has just been turned off.

Thanks for your feedback. Our team will discuss and decide what to do with future updates.

Wow. That is way out there.

From your screenshot, you have nine other devices that are problem free.

The utility, Event Log Explorer, is unfamiliar to me but it appears to explore only.

Open the Event Viewer (eventvwr.msc) and drill down to
Applications and Services Logs > Microsoft > Windows > Network Profile > Operational
and check for any critical, warning or error events. Otherwise, tons of information events, mostly 4002, 4004, 1000 and 2002 IDs is normal.

Open the Performance Monitor (perfmon.msc) and select
Performance > Monitoring Tools > Performance Monitor
and click the green + and add ICMP, Network Adapter and Network Interface. Perhaps you might find relevant info under System Diagnostics > Reports.

As well, IMHO, any functionality above and beyond the “Send GlassWire Alerts to Windows Event Log” would otherwise add bloat to GW’s core mission to monitor, alert (real-time and historical) and simplify some of Defender’s Firewall operations.

That said, this forum is an unlikely venue in resolving such a perplexing issue, especially without an audit of your system, networking hardware and connectivity.

I suggest tenforums dot com.

Good luck.

Glasswire reported the 500+, I noticed only about 1/3 of those. AND, I think I have located the culprit - My AppleTV box (not an Apple TV?). It was using a lot of bandwidth. Why that didn’t just slow everything down instead of “connection was lost” is TBD. For now I am happy to have 161hrs 26min without an Internet loss.
I think you made a false assumption about Event Log Explorer for not being familiar with it - it seems to do everything that Win 10 Event Viewer does with a slightly better UI.
Something I would find helpful is an explanation of what the significance of each and every “event” posted is. I have found a few sites that seem to want to do that but are thinly populated. Seems like that is another feature that has turned into a rabbit hole.
Totally agree that GW should not be loaded down with real time diagnostics even the posting to to event logs is not needed as real time - a database post processor that allowed getting rid of alerts that I wish I had never requested or a printable or cvs readout that could be further scrutinized would have more readily made me realize that the GW information on my laptop was not relevant to the issue affecting my network.
Sorry if I gave the impression that I was looking for advise in diagnosing my problem; I only thought that it would be nice to have some way of (probably) post processing of the database to massage it into more useful information.
I like what GW does. If I could afford to plug it directly into my (microwave) modem I may have learned something - probably not that the AppleTV box was the problem (because if I cut the connection at the modem, the AppleTV would not have been a part of my network) - even my ISP could not have known that from their perspective until I met an aide that could tell me that I was drawing a lot more bandwidth than I had paid for and was willing to hang in there while I disconnected nodes to find the bandwidth hog.
It has been a lot of techy years since I played with bigger problems than email and I recall that there was an acronym ICMP that may have given me more network wide information (instead of just my laptop node) but, hey, I have only 9 nodes and it was pretty easy to just unplug each one while the ISP monitored my bandwidth usage.
So far I have high hopes that my internet connection is more stable and that I have learned a lot more about Glasswire and Win 10 events on my computer AND that they have little usefulness in examining my network nodes that are not able to run GW or collect Win 10 events.
Tenforums looks interesting. I’ll look closer.

Thanks for your input.