Solved

Event viewer filter

Posted on 2014-02-03
11
700 Views
Last Modified: 2014-02-20
I would like to filter Windows event viewer logs for a specific word. I understand how to filter and create a custom view for errors etc but this is for a specific word. Its 2008R2
0
Comment
Question by:Sid_F
  • 4
  • 3
  • 3
  • +1
11 Comments
 
LVL 11

Expert Comment

by:Pradeep Dubey
ID: 39829037
Below link will help you to create and save a filter with a specific word.
http://blogs.technet.com/b/askds/archive/2011/09/26/advanced-xml-filtering-in-the-windows-event-viewer.aspx
0
 
LVL 5

Author Comment

by:Sid_F
ID: 39829049
Yes I have seen this link but its not quite clear what I need to do to search by the keyword

When I go to xml in filter current log, the log I want to search in is system and the word I want to search for is Winforce. Hopefully someone can tell me what I need to edit below or anything else I need to add. Thanks.


<QueryList>
  <Query Id="0" Path="System">
    <Select Path="System">*</Select>
  </Query>
</QueryList>
0
 
LVL 13

Expert Comment

by:Felix Leven
ID: 39829110
     <QueryList> 
           <Query Id="0"> 
              <Select Path="System"> 
                 *[EventData[Data and (Data='Winforce')]] 
              </Select> 
           </Query> 
      </QueryList>

Open in new window

0
 
LVL 11

Expert Comment

by:Pradeep Dubey
ID: 39829161
<QueryList>
           <Query Id="0">
              <Select Path="System">*[EventData[Data and (Data=Winforce)]]
                </Select>
           </Query>
      </QueryList>


The line you have to edit is given below

<Select Path="System">*[EventData[Data and (Data=Winforce)]]

You can edit as per your requirement.
0
 
LVL 5

Author Comment

by:Sid_F
ID: 39829173
It returned no results. Just to clarify the word winforce is in the general description details for these events. Winforce is a service and in the description tab it displays the winforce service has entered the stopped state.
What I want to do is list all the events where this has occured. I have copied the exact command above but as mentioned there are no results.
0
Being driven mad by email signature updates?

Having to make a change to your users’ email signatures, yet again? Feel like your head is going to explode? Rely on an Exclaimer email signature management solution to make the process simple!

 
LVL 13

Expert Comment

by:Felix Leven
ID: 39829209
My Example:

Broader Filtering:

Say you wanted to filter on events involving windforce but were unsure if it would be in SubjectUserName, TargetUserName, or somewhere else. You don’t need to specify the specific name that the data can be in, but just search that some data in <EventData> contains Windforce.
0
 
LVL 4

Expert Comment

by:michaelalphi
ID: 39832058
Check this link in order to filter windows event viewer logs for a specific word : http://technet.microsoft.com/en-us/magazine/dd630944.aspx .
Though, these manual process is a bit complicated and does not ensure about the filter option for a specific word. However, you can have a look for an automated solution which define and filter with the option to filer with specific word or whatever depends upon your requirement. Check this link : http://www.windowseventlogmonitor.com/
0
 
LVL 5

Author Comment

by:Sid_F
ID: 39832601
The first link highlights creating a custom log which does not detail by keyword so does not apply. I want to avoid any third party products. It's surprising this seems so difficult to do : )
0
 
LVL 13

Expert Comment

by:Felix Leven
ID: 39864468
<QueryList>
           <Query Id="0">
              <Select Path="System">
                 *[EventData[Data and (Data='Winforce')]]
              </Select>
           </Query>
      </QueryList>

You must change "System" to the eventlog you want to filter Application/System/Security, not possible to use the same filter for all logs!

EventView MAY add a second line in the beginning, you also have to change the logname there!

Example:
<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
*[EventData[Data and (Data='Winforce')]]
</Select>
  </Query>
</QueryList>

I used this my self now and it works.
0
 
LVL 11

Accepted Solution

by:
Pradeep Dubey earned 500 total points
ID: 39864545
You can use a small software and view things as you need...

Its Free and useful.

http://www.nirsoft.net/utils/my_event_viewer.html
0
 
LVL 5

Author Closing Comment

by:Sid_F
ID: 39872684
This software did the job thanks.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
In this article, I will show you HOW TO: Perform a Physical to Virtual (P2V) Conversion the easy way from a computer backup (image).
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now