Solved

Event viewer filter

Posted on 2014-02-03
11
911 Views
Last Modified: 2014-02-20
I would like to filter Windows event viewer logs for a specific word. I understand how to filter and create a custom view for errors etc but this is for a specific word. Its 2008R2
0
Comment
Question by:Sid_F
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
  • +1
11 Comments
 
LVL 11

Expert Comment

by:Pradeep Dubey
ID: 39829037
Below link will help you to create and save a filter with a specific word.
http://blogs.technet.com/b/askds/archive/2011/09/26/advanced-xml-filtering-in-the-windows-event-viewer.aspx
0
 
LVL 6

Author Comment

by:Sid_F
ID: 39829049
Yes I have seen this link but its not quite clear what I need to do to search by the keyword

When I go to xml in filter current log, the log I want to search in is system and the word I want to search for is Winforce. Hopefully someone can tell me what I need to edit below or anything else I need to add. Thanks.


<QueryList>
  <Query Id="0" Path="System">
    <Select Path="System">*</Select>
  </Query>
</QueryList>
0
 
LVL 13

Expert Comment

by:Felix Leven
ID: 39829110
     <QueryList> 
           <Query Id="0"> 
              <Select Path="System"> 
                 *[EventData[Data and (Data='Winforce')]] 
              </Select> 
           </Query> 
      </QueryList>

Open in new window

0
Why Off-Site Backups Are The Only Way To Go

You are probably backing up your data—but how and where? Ransomware is on the rise and there are variants that specifically target backups. Read on to discover why off-site is the way to go.

 
LVL 11

Expert Comment

by:Pradeep Dubey
ID: 39829161
<QueryList>
           <Query Id="0">
              <Select Path="System">*[EventData[Data and (Data=Winforce)]]
                </Select>
           </Query>
      </QueryList>


The line you have to edit is given below

<Select Path="System">*[EventData[Data and (Data=Winforce)]]

You can edit as per your requirement.
0
 
LVL 6

Author Comment

by:Sid_F
ID: 39829173
It returned no results. Just to clarify the word winforce is in the general description details for these events. Winforce is a service and in the description tab it displays the winforce service has entered the stopped state.
What I want to do is list all the events where this has occured. I have copied the exact command above but as mentioned there are no results.
0
 
LVL 13

Expert Comment

by:Felix Leven
ID: 39829209
My Example:

Broader Filtering:

Say you wanted to filter on events involving windforce but were unsure if it would be in SubjectUserName, TargetUserName, or somewhere else. You don’t need to specify the specific name that the data can be in, but just search that some data in <EventData> contains Windforce.
0
 
LVL 4

Expert Comment

by:michaelalphi
ID: 39832058
Check this link in order to filter windows event viewer logs for a specific word : http://technet.microsoft.com/en-us/magazine/dd630944.aspx .
Though, these manual process is a bit complicated and does not ensure about the filter option for a specific word. However, you can have a look for an automated solution which define and filter with the option to filer with specific word or whatever depends upon your requirement. Check this link : http://www.windowseventlogmonitor.com/
0
 
LVL 6

Author Comment

by:Sid_F
ID: 39832601
The first link highlights creating a custom log which does not detail by keyword so does not apply. I want to avoid any third party products. It's surprising this seems so difficult to do : )
0
 
LVL 13

Expert Comment

by:Felix Leven
ID: 39864468
<QueryList>
           <Query Id="0">
              <Select Path="System">
                 *[EventData[Data and (Data='Winforce')]]
              </Select>
           </Query>
      </QueryList>

You must change "System" to the eventlog you want to filter Application/System/Security, not possible to use the same filter for all logs!

EventView MAY add a second line in the beginning, you also have to change the logname there!

Example:
<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
*[EventData[Data and (Data='Winforce')]]
</Select>
  </Query>
</QueryList>

I used this my self now and it works.
0
 
LVL 11

Accepted Solution

by:
Pradeep Dubey earned 500 total points
ID: 39864545
You can use a small software and view things as you need...

Its Free and useful.

http://www.nirsoft.net/utils/my_event_viewer.html
0
 
LVL 6

Author Closing Comment

by:Sid_F
ID: 39872684
This software did the job thanks.
0

Featured Post

Don't Cry: How Liquid Web is Ensuring Security

WannaCry is just the start. Read how Liquid Web is protecting itself and its customers against new threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article summaries thoughts and ideas from two years of sustained use. It provides good reasoning to make the jump to Windows 10.
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question