Filter in the event viewer.

alpha45 · 11 Dec 2020

Hi,
is it possible to create a filter by manually editing the XML query in the event viewer and have the entered query remain stored in the log even if I close the event viewer?
Thanks

Try3 · 11 Dec 2020

You can export an Event viewer, Custom view as an xml then manually edit that xml and import the altered one. That will remain permanently.

When I have done this I have always avoided uncertainty by editing the Name field in the xml to give it a unique name so I do not get it mixed up with the original version. I do this even if I know I'm going to delete the original version.

I was not sure whether to reply or not because I have never seen Event viewer itself make the xml available for editing.
- I have always had to edit that outside of Event viewer.
- So I a bit concerned that I have misunderstood your question.

Denis

alpha45 · 11 Dec 2020

Sorry if I explained myself wrong, but I just wanted to filter the system log .. and that it remain stored
es:

Code:

<QueryList>  <Query Id="0" Path="System">
    <Select Path="System">*</Select>
    <Suppress Path="System">
      *[System[(EventID=10016)]]
      and
      *[EventData[
        (
          Data[@Name='param4'] and Data='{D63B10C5-BB46-4990-A94F-E40B9D520160}' and
          Data[@Name='param5'] and Data='{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}' and
          Data[@Name='param8'] and Data='S-1-5-18'
        )
        or
        ( Data[@Name='param4'] and Data='{260EB9DE-5CBE-4BFF-A99A-3710AF55BF1E}' and
          Data[@Name='param5'] and Data='{260EB9DE-5CBE-4BFF-A99A-3710AF55BF1E}'
        )
        or
        (
          Data[@Name='param4'] and Data='{C2F03A33-21F5-47FA-B4BB-156362A2F239}' and
          Data[@Name='param5'] and Data='{316CDED5-E4AE-4B15-9113-7055D84DCC97}' and
          Data[@Name='param8'] and Data='S-1-5-19'
        )
        or
        (
          Data[@Name='param4'] and Data='{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}' and
          Data[@Name='param5'] and Data='{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}' and
          Data[@Name='param8'] and Data='S-1-5-19'
        )
      ]]
    </Suppress>
  </Query>

</QueryList>

Thank you

Try3 · 11 Dec 2020

Event viewer lets you create a Custom view that can, if you wish, be your filtered version of the System log. That will remain stored.

I have never heard of anybody trying to alter the System log definition itself. I have no idea if it is possible.

Denis

alpha45 · 12 Dec 2020

This way it works for example, but if you close event viewer it doesn't keep the xml stored.

Try3 · 12 Dec 2020

So don't select Filter current log.
Select Create custom view instead. That creates a permanent filter.

Denis

alpha45 · 12 Dec 2020

Already proven, but not very practical.
Anyway thanks
Hello

Try3 · 12 Dec 2020

What is 'not very practical' about defining a Custom view?

Custom views are how Event viewer does precisely what you want it to do. The name 'Custom view' is misleading and I think they ought to be called 'Custom filters' because that is what they are.

Denis