Member Avatar for Borzoi

I've been trying to find a way to filter the Event Viewer in Windows by the description instead of the event type/source etc. I figure that i need to use the XML tab to customise it as there is no option in the basic filtering for what I want.

One reason why I want to do this is to find when I service was started. The sytem logs show when services stop and start but they all have the same event ID, Event Type and Source.

The "description" I'm referring to is the text you see in the "General" tab. It would read something like:

The [service name] service entered the stopped state.

I'm looking to just search the event viewer for the service name. I've looked online for tips on how to do this using the CML tab in the filter but I can only find information on how to filter it by the basic options using the XML tab which seems pointless when I can just tick the box in the filter tab anyway.

  • 4 Contributors
  • 5 Replies
  • 4K Views
  • 6 Years Discussion Span
  • Latest Post Latest Post by GreenVomit8
Member Avatar for CimmerianX

Not sure what issue you are seeing... In 2008 and 2013 servers, I can use the FILTER option off the context or main menu and enter any text, including text in the description. I do this all the time to find user failed logon attempts... I just enter the user ID that I would find in the description.

Is that not what you want?

Member Avatar for Borzoi

That does sound like what I want but which box do you put it in?

Edit: I should clarify that the only boxes which I can see which can be typed in are User, Computer and EventID.

Edited by Borzoi because: Adding more info.
Member Avatar for DistantGalaxy

You can achieve what you want with an XML filter. See Consuming Events on MSDN for more help.

The way I normally approach this is to find an occurance of the event I want to filter, check the XML tab to discover its structure, then create an XML filter and save as a custom view.

For example, if we look at the SSDPSRV service starting we might see something like:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
        <Provider Name="Service Control Manager" EventSourceName="Service Control Manager" />
        <EventID Qualifiers="16384">7036</EventID>
        <Version>0</Version>
        <Level>4</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8080000000000000</Keywords>
        <TimeCreated SystemTime="2014-09-27T13:39:26.0Z" />
        <EventRecordID>469477</EventRecordID>
        <Correlation />
        <Execution ProcessID="42" ThreadID="42" />
        <Channel>System</Channel>
        <Computer>CosmicRay</Computer>
        <Security />
    </System>
    <EventData>
        <Data Name="param1">SSDP Discovery</Data>
        <Data Name="param2">running</Data>
    </EventData>
</Event>

We see the information we need is in the first two Data items of EventData, 'SSDP Discovery' and 'running', so our query might look like:

<QueryList>
    <Query Id="0" Path="System">
        <Select Path="System">*[EventData[Data[1]='SSDP Discovery' and  Data[2]='running']]</Select>
    </Query>
</QueryList>

I'm not really too familiar with the flavor of XPath that Microsoft uses here. If anyone knows of a better or less error prone way of creating filters, please please do let me know.

Member Avatar for Borzoi

That has done just what I need. Thank you. I wanted all instances so I removed and Data[2]='running' and just replaced SSDP Discovery with the service I was looking for.

Member Avatar for GreenVomit8

This post helped me alot. For anyone else interested in filtering for a service 'running' and 'stopped' in the same cutom view I have created the following XML just tweaking DistantGalaxy's filter a bit:

<QueryList>
<Query Id="0" Path="System">
<Select Path="System">*[EventData[Data[1]='SSDP Discovery'
and
(Data[2]='stopped' or Data[2]='running')]]</Select>
</Query>
</QueryList>

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.