Solved

Event viewer filter

Posted on 2014-02-03
11
762 Views
Last Modified: 2014-02-20
I would like to filter Windows event viewer logs for a specific word. I understand how to filter and create a custom view for errors etc but this is for a specific word. Its 2008R2
0
Comment
Question by:Sid_F
  • 4
  • 3
  • 3
  • +1
11 Comments
 
LVL 11

Expert Comment

by:Pradeep Dubey
ID: 39829037
Below link will help you to create and save a filter with a specific word.
http://blogs.technet.com/b/askds/archive/2011/09/26/advanced-xml-filtering-in-the-windows-event-viewer.aspx
0
 
LVL 6

Author Comment

by:Sid_F
ID: 39829049
Yes I have seen this link but its not quite clear what I need to do to search by the keyword

When I go to xml in filter current log, the log I want to search in is system and the word I want to search for is Winforce. Hopefully someone can tell me what I need to edit below or anything else I need to add. Thanks.


<QueryList>
  <Query Id="0" Path="System">
    <Select Path="System">*</Select>
  </Query>
</QueryList>
0
 
LVL 13

Expert Comment

by:Felix Leven
ID: 39829110
     <QueryList> 
           <Query Id="0"> 
              <Select Path="System"> 
                 *[EventData[Data and (Data='Winforce')]] 
              </Select> 
           </Query> 
      </QueryList>

Open in new window

0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 
LVL 11

Expert Comment

by:Pradeep Dubey
ID: 39829161
<QueryList>
           <Query Id="0">
              <Select Path="System">*[EventData[Data and (Data=Winforce)]]
                </Select>
           </Query>
      </QueryList>


The line you have to edit is given below

<Select Path="System">*[EventData[Data and (Data=Winforce)]]

You can edit as per your requirement.
0
 
LVL 6

Author Comment

by:Sid_F
ID: 39829173
It returned no results. Just to clarify the word winforce is in the general description details for these events. Winforce is a service and in the description tab it displays the winforce service has entered the stopped state.
What I want to do is list all the events where this has occured. I have copied the exact command above but as mentioned there are no results.
0
 
LVL 13

Expert Comment

by:Felix Leven
ID: 39829209
My Example:

Broader Filtering:

Say you wanted to filter on events involving windforce but were unsure if it would be in SubjectUserName, TargetUserName, or somewhere else. You don’t need to specify the specific name that the data can be in, but just search that some data in <EventData> contains Windforce.
0
 
LVL 4

Expert Comment

by:michaelalphi
ID: 39832058
Check this link in order to filter windows event viewer logs for a specific word : http://technet.microsoft.com/en-us/magazine/dd630944.aspx .
Though, these manual process is a bit complicated and does not ensure about the filter option for a specific word. However, you can have a look for an automated solution which define and filter with the option to filer with specific word or whatever depends upon your requirement. Check this link : http://www.windowseventlogmonitor.com/
0
 
LVL 6

Author Comment

by:Sid_F
ID: 39832601
The first link highlights creating a custom log which does not detail by keyword so does not apply. I want to avoid any third party products. It's surprising this seems so difficult to do : )
0
 
LVL 13

Expert Comment

by:Felix Leven
ID: 39864468
<QueryList>
           <Query Id="0">
              <Select Path="System">
                 *[EventData[Data and (Data='Winforce')]]
              </Select>
           </Query>
      </QueryList>

You must change "System" to the eventlog you want to filter Application/System/Security, not possible to use the same filter for all logs!

EventView MAY add a second line in the beginning, you also have to change the logname there!

Example:
<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
*[EventData[Data and (Data='Winforce')]]
</Select>
  </Query>
</QueryList>

I used this my self now and it works.
0
 
LVL 11

Accepted Solution

by:
Pradeep Dubey earned 500 total points
ID: 39864545
You can use a small software and view things as you need...

Its Free and useful.

http://www.nirsoft.net/utils/my_event_viewer.html
0
 
LVL 6

Author Closing Comment

by:Sid_F
ID: 39872684
This software did the job thanks.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A procedure for exporting installed hotfix details of remote computers using powershell
In this article, I will show you HOW TO: Install VMware Tools for Windows on a VMware Windows virtual machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, using the VMware Host Client. The virtual machine has Windows Server 2016 instal…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

792 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question