?
Solved

Filtering Windows event log for text in Data field

Posted on 2014-09-26
7
Medium Priority
?
83 Views
Last Modified: 2015-05-29
In a Windows event log (Win 8.1), I want to filter a log file for a substring in the Data field. What's the easiest way to do this (preferably in the Event Viewer with a custom view)?
0
Comment
Question by:BlearyEye
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 1

Expert Comment

by:Psymonious
ID: 40345839
You could try to achieve this with XML filters.

Advanced XML filtering in the Windows Event Viewer
http://blogs.technet.com/b/askds/archive/2011/09/26/advanced-xml-filtering-in-the-windows-event-viewer.aspx

If you're familiar with PowerShell, you can also try it that way.

Get-Event
http://technet.microsoft.com/en-us/library/hh849909.aspx
0
 
LVL 1

Author Comment

by:BlearyEye
ID: 40345863
I saw the first link when I was poking around. But I don't see how to filter Data for a substring.

I've used PowerShell enuf to be somewhat dangerous but I don't know how to do the query I'm looking for.
0
 
LVL 1

Expert Comment

by:Psymonious
ID: 40346026
I'm sorry i was wrong with "Get-Event"... it should have been "Get-EventLog".

Get-EventLog
http://technet.microsoft.com/en-us/library/hh849834.aspx

Sadly i couldn't get a substring to work with the XML Filter, but maybe the PowerShell way will work.

I have an Event with the word "NtpClient" in the Message field.

I used the following command to query ("Ntp" as a substring of NtpClient) from the System EventLog .
------------------------------
> Get-EventLog -LogName System -Message "*Ntp*"
------------------------------

Does that help you in any way?

If that is not what you were looking for, then please be more specific about what you would like to achieve.
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 
LVL 1

Author Comment

by:BlearyEye
ID: 40352119
Sorry for the delay. The PS command helps. It truncates the message however, and only displays a limited number of columns. Any idea how to get everything?
0
 
LVL 1

Assisted Solution

by:Psymonious
Psymonious earned 2000 total points
ID: 40356772
I hadn't much this to go deeper, but this could help to get full information.
------------------------------
Get-EventLog -LogName System -Message "*Ntp*" | Format-List *
------------------------------
0
 
LVL 1

Accepted Solution

by:
BlearyEye earned 0 total points
ID: 40356986
Yes, that does get the whole Data element, including newlines. (Oddly, Get-EventLog renames the elements so that Data becomes Message, EventRecordID becomes Index ...)

The format isn't very readable however. I'd like to be able to output it as a file to view in Excel. Outputting to CSV is tricky since the message data sometimes has newlines and outputting to XLS also seems difficult.

After some playing around, here's what seems to do the job for me:
Get-EventLog -LogName thelogname | select TimeGenerated, Index, EventId, Category, MachineName, EntryType, Message  | Out-GridView

Open in new window

GridView is limited but may be enough. It shows newlines fine. I can pre-select events of interest in GetEventLog and further filter & sort in GridView.
0
 
LVL 1

Author Closing Comment

by:BlearyEye
ID: 40802072
i came to with the final answer, with help from others.
0

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Using the Hyper-V Manager requires administrator rights. This guide shows how to add shortcuts and Start Screen tiles for normal users to quickly connect to local virtual machines rather than using the recommended Remote Desktop connection.
The Samsung SSD 840 EVO and 840 EVO mSATA have a well-known problem with a drop in read performance. I first learned about this in an interesting thread here at Experts Exchange: http://www.experts-exchange.com/Hardware/Storage/Hard_Drives/Q_2852…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…
Suggested Courses

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question