Solved

Event viewer filter

Posted on 2014-02-03
11
730 Views
Last Modified: 2014-02-20
I would like to filter Windows event viewer logs for a specific word. I understand how to filter and create a custom view for errors etc but this is for a specific word. Its 2008R2
0
Comment
Question by:Sid_F
  • 4
  • 3
  • 3
  • +1
11 Comments
 
LVL 11

Expert Comment

by:Pradeep Dubey
ID: 39829037
Below link will help you to create and save a filter with a specific word.
http://blogs.technet.com/b/askds/archive/2011/09/26/advanced-xml-filtering-in-the-windows-event-viewer.aspx
0
 
LVL 6

Author Comment

by:Sid_F
ID: 39829049
Yes I have seen this link but its not quite clear what I need to do to search by the keyword

When I go to xml in filter current log, the log I want to search in is system and the word I want to search for is Winforce. Hopefully someone can tell me what I need to edit below or anything else I need to add. Thanks.


<QueryList>
  <Query Id="0" Path="System">
    <Select Path="System">*</Select>
  </Query>
</QueryList>
0
 
LVL 13

Expert Comment

by:Felix Leven
ID: 39829110
     <QueryList> 
           <Query Id="0"> 
              <Select Path="System"> 
                 *[EventData[Data and (Data='Winforce')]] 
              </Select> 
           </Query> 
      </QueryList>

Open in new window

0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 11

Expert Comment

by:Pradeep Dubey
ID: 39829161
<QueryList>
           <Query Id="0">
              <Select Path="System">*[EventData[Data and (Data=Winforce)]]
                </Select>
           </Query>
      </QueryList>


The line you have to edit is given below

<Select Path="System">*[EventData[Data and (Data=Winforce)]]

You can edit as per your requirement.
0
 
LVL 6

Author Comment

by:Sid_F
ID: 39829173
It returned no results. Just to clarify the word winforce is in the general description details for these events. Winforce is a service and in the description tab it displays the winforce service has entered the stopped state.
What I want to do is list all the events where this has occured. I have copied the exact command above but as mentioned there are no results.
0
 
LVL 13

Expert Comment

by:Felix Leven
ID: 39829209
My Example:

Broader Filtering:

Say you wanted to filter on events involving windforce but were unsure if it would be in SubjectUserName, TargetUserName, or somewhere else. You don’t need to specify the specific name that the data can be in, but just search that some data in <EventData> contains Windforce.
0
 
LVL 4

Expert Comment

by:michaelalphi
ID: 39832058
Check this link in order to filter windows event viewer logs for a specific word : http://technet.microsoft.com/en-us/magazine/dd630944.aspx .
Though, these manual process is a bit complicated and does not ensure about the filter option for a specific word. However, you can have a look for an automated solution which define and filter with the option to filer with specific word or whatever depends upon your requirement. Check this link : http://www.windowseventlogmonitor.com/
0
 
LVL 6

Author Comment

by:Sid_F
ID: 39832601
The first link highlights creating a custom log which does not detail by keyword so does not apply. I want to avoid any third party products. It's surprising this seems so difficult to do : )
0
 
LVL 13

Expert Comment

by:Felix Leven
ID: 39864468
<QueryList>
           <Query Id="0">
              <Select Path="System">
                 *[EventData[Data and (Data='Winforce')]]
              </Select>
           </Query>
      </QueryList>

You must change "System" to the eventlog you want to filter Application/System/Security, not possible to use the same filter for all logs!

EventView MAY add a second line in the beginning, you also have to change the logname there!

Example:
<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
*[EventData[Data and (Data='Winforce')]]
</Select>
  </Query>
</QueryList>

I used this my self now and it works.
0
 
LVL 11

Accepted Solution

by:
Pradeep Dubey earned 500 total points
ID: 39864545
You can use a small software and view things as you need...

Its Free and useful.

http://www.nirsoft.net/utils/my_event_viewer.html
0
 
LVL 6

Author Closing Comment

by:Sid_F
ID: 39872684
This software did the job thanks.
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OfficeMate Freezes on login or does not load after login credentials are input.
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup" or a blinking cursor with black screen. A loop for Auto repair will start but fix nothing.  You will be panic as there are no back…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question