Solved

Event viewer filter

Posted on 2014-02-03
11
876 Views
Last Modified: 2014-02-20
I would like to filter Windows event viewer logs for a specific word. I understand how to filter and create a custom view for errors etc but this is for a specific word. Its 2008R2
0
Comment
Question by:Sid_F
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
  • +1
11 Comments
 
LVL 11

Expert Comment

by:Pradeep Dubey
ID: 39829037
Below link will help you to create and save a filter with a specific word.
http://blogs.technet.com/b/askds/archive/2011/09/26/advanced-xml-filtering-in-the-windows-event-viewer.aspx
0
 
LVL 6

Author Comment

by:Sid_F
ID: 39829049
Yes I have seen this link but its not quite clear what I need to do to search by the keyword

When I go to xml in filter current log, the log I want to search in is system and the word I want to search for is Winforce. Hopefully someone can tell me what I need to edit below or anything else I need to add. Thanks.


<QueryList>
  <Query Id="0" Path="System">
    <Select Path="System">*</Select>
  </Query>
</QueryList>
0
 
LVL 13

Expert Comment

by:Felix Leven
ID: 39829110
     <QueryList> 
           <Query Id="0"> 
              <Select Path="System"> 
                 *[EventData[Data and (Data='Winforce')]] 
              </Select> 
           </Query> 
      </QueryList>

Open in new window

0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 11

Expert Comment

by:Pradeep Dubey
ID: 39829161
<QueryList>
           <Query Id="0">
              <Select Path="System">*[EventData[Data and (Data=Winforce)]]
                </Select>
           </Query>
      </QueryList>


The line you have to edit is given below

<Select Path="System">*[EventData[Data and (Data=Winforce)]]

You can edit as per your requirement.
0
 
LVL 6

Author Comment

by:Sid_F
ID: 39829173
It returned no results. Just to clarify the word winforce is in the general description details for these events. Winforce is a service and in the description tab it displays the winforce service has entered the stopped state.
What I want to do is list all the events where this has occured. I have copied the exact command above but as mentioned there are no results.
0
 
LVL 13

Expert Comment

by:Felix Leven
ID: 39829209
My Example:

Broader Filtering:

Say you wanted to filter on events involving windforce but were unsure if it would be in SubjectUserName, TargetUserName, or somewhere else. You don’t need to specify the specific name that the data can be in, but just search that some data in <EventData> contains Windforce.
0
 
LVL 4

Expert Comment

by:michaelalphi
ID: 39832058
Check this link in order to filter windows event viewer logs for a specific word : http://technet.microsoft.com/en-us/magazine/dd630944.aspx .
Though, these manual process is a bit complicated and does not ensure about the filter option for a specific word. However, you can have a look for an automated solution which define and filter with the option to filer with specific word or whatever depends upon your requirement. Check this link : http://www.windowseventlogmonitor.com/
0
 
LVL 6

Author Comment

by:Sid_F
ID: 39832601
The first link highlights creating a custom log which does not detail by keyword so does not apply. I want to avoid any third party products. It's surprising this seems so difficult to do : )
0
 
LVL 13

Expert Comment

by:Felix Leven
ID: 39864468
<QueryList>
           <Query Id="0">
              <Select Path="System">
                 *[EventData[Data and (Data='Winforce')]]
              </Select>
           </Query>
      </QueryList>

You must change "System" to the eventlog you want to filter Application/System/Security, not possible to use the same filter for all logs!

EventView MAY add a second line in the beginning, you also have to change the logname there!

Example:
<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
*[EventData[Data and (Data='Winforce')]]
</Select>
  </Query>
</QueryList>

I used this my self now and it works.
0
 
LVL 11

Accepted Solution

by:
Pradeep Dubey earned 500 total points
ID: 39864545
You can use a small software and view things as you need...

Its Free and useful.

http://www.nirsoft.net/utils/my_event_viewer.html
0
 
LVL 6

Author Closing Comment

by:Sid_F
ID: 39872684
This software did the job thanks.
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An article on effective troubleshooting
Learn how to PXE Boot both BIOS & UEFI machines with DHCP Policies and Custom Vendor Classes
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question