Can't find the information you are looking for here? Then leave a message over on our WinBatch Tech Support Forum.
Keywords: Query Specific Event Log Eventvwr.exe Filter
;*************************************************************************** ;** Query for Specific Events in the Event Logs ;** ;** Purpose: Query for Events ;** Inputs: ;** Outputs: Results in a Reportview ;** Reference: ;** REQUIRES WinBatch 2013A or newer ;** .NET Framework 3.5 ;** Developer: Deana Falk 2013.05.08 ;*************************************************************************** If Version( )< '2013A' Pause('Notice', 'Need 2013A or Newer Version of WinBatch') Exit EndIf ;~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ; Load assemblies into the WinBatch process. ;~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ; mscorlib assembly is automatically loaded by WinBatch when the CLR is loaded. ; ObjectClrOption ('use','mscorlib, version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089') ; C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll ObjectClrOption ( 'use', 'System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089') ;~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ; Event Queries and Event XML ;~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ; For more information about how to create an event query string, see Event Queries and Event XML. ; http://msdn.microsoft.com/en-us/library/bb399427(v=vs.90).aspx ; ; If you need help creating the XML Query. ; 1. Open Eventvwr.exe ; 2. Under 'Action's, select 'Create Custom View' ; 3. Manually choose all of the Filter settings. ; 4. Select the XML tab ; 5. Copy and paste the query into your WinBatch script. ; ; Here are examples of simple custom filters for the new Window Event Log: ;Select all events in the Application Event Log where Event Level is CRITICAL or ERROR in the last 30 days queryString = `<QueryList><Query Id="0" Path="Application"><Select Path="Application">*[System[(Level=1 or Level=2 ) and TimeCreated[timediff(@SystemTime) <= 2592000000]]]</Select></Query></QueryList>` ;Select all events in the Application Event Log where the Provider is'.NET Runtime' and the Event Level is critcal ;queryString = `<QueryList><Query Id="0" Path="Application"><Select Path="Application">*[System[Provider[@Name='.NET Runtime'] and (Level=1 )]]</Select></Query></QueryList>` ;Select all events in the Security Event Log where the account name involved (TargetUserName) is "JUser" ;queryString = `<QueryList><Query Id="0" Path="Security"><Select Path="Security">*[EventData[Data[@Name="TargetUserName"]="JUser"]]</Select></Query></QueryList>` ;Select all events in the Security Event Log where any Data node of the EventData section is the string "JUser" ;queryString = `<QueryList><Query Id="0" Path="Security"><Select Path="Security">*[EventData[Data="JUser"]]</Select></Query></QueryList>` ;Select all events in the Security Event Log where any Data node of the EventData section is "JUser" or "JDoe" ;queryString = `<QueryList><Query Id="0" Path="Security"><Select Path="Security">*[EventData[Data="JUser" or Data="JDoe"]]</Select></Query></QueryList>` ;Select all events in the Security Event Log where any Data node of the EventData section is "JUser" and the Event ID is "4471" ;queryString = `<QueryList><Query Id="0" Path="Security"><Select Path="Security">*[System[EventID="4771"]] and *[EventData[Data="JUser"]]</Select></Query></QueryList>` ;Real world example for a package called Goldmine which has two @Names ;queryString = `<QueryList><Query Id="0" Path="Application"><Select Path="Application">*[System[Provider[@Name='GoldMine' or @Name='GMService']]]</Select></Query></QueryList>` ;Select all events in the Application Event Log where the ;queryString = `<QueryList><Query Id="0" Path="Application"><Select Path="Microsoft-Windows-GroupPolicy/Operational">*[System/Correlation/@ActivityID='4000']</Select></Query></QueryList>` ;Complicated Query ;queryString = '' ;queryString = queryString : '<QueryList>' ;queryString = queryString : ' <Query Id="0" Path="Application">' ;queryString = queryString : ' <Select Path="Application">' ;queryString = queryString : ' *[System[(Level <= 3) and' ;queryString = queryString : ' TimeCreated[timediff(@SystemTime) <= 86400000]]]' ;queryString = queryString : ' </Select>' ;queryString = queryString : ' <Suppress Path="Application">' ;queryString = queryString : ' *[System[(Level = 2)]]' ;queryString = queryString : ' </Suppress>' ;queryString = queryString : ' <Select Path="System">' ;queryString = queryString : ' *[System[(Level=1 or Level=2 or Level=3) and' ;queryString = queryString : ' TimeCreated[timediff(@SystemTime) <= 86400000]]]' ;queryString = queryString : ' </Select>' ;queryString = queryString : ' </Query>' ;queryString = queryString : '</QueryList>' ;~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ; Associate a Framework based type name with a value. ;~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ enumPathType = ObjectClrNew( 'System.Diagnostics.Eventing.Reader.PathType' ) logname = ObjectClrType( 'System.Diagnostics.Eventing.Reader.PathType', enumPathType.LogName ) filepth = ObjectClrType( 'System.Diagnostics.Eventing.Reader.PathType', enumPathType.FilePath ) ;~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ; Create a class implemented by a managed assembly. ;~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ oEventsQuery = ObjectClrNew( 'System.Diagnostics.Eventing.Reader.EventLogQuery','Application', logname, queryString) oEventLogReader = ObjectClrNew( 'System.Diagnostics.Eventing.Reader.EventLogReader', oEventsQuery ) MAX_RESULTS = 2048 arrEvents = ArrDimension( MAX_RESULTS, 4 ) i = 0 While @TRUE eventInstance = oEventLogReader.ReadEvent() If eventInstance == "" Then Break arrEvents[i,0] = eventInstance.Id; Event ID arrEvents[i,1] = eventInstance.ProviderName; Publisher arrEvents[i,2] = eventInstance.FormatDescription(); Description ; Cast the EventRecord object as an EventLogRecord object to access the EventLogRecord class properties. logRecord = ObjectClrType( 'System.Diagnostics.Eventing.Reader.EventLogRecord', eventInstance ) arrEvents[i,3] = logRecord.ContainerLog i = i+1 EndWhile ; Display in WIL Dialogs Reportview Control MyDialogFormat=`WWWDLGED,6.2` MyDialogCaption=`Event Log Query Results` MyDialogX=002 MyDialogY=059 MyDialogWidth=766 MyDialogHeight=353 MyDialogNumControls=003 MyDialogProcedure=`DEFAULT` MyDialogFont=`DEFAULT` MyDialogTextColor=`DEFAULT` MyDialogBackground=`DEFAULT,DEFAULT` MyDialogConfig=0 MyDialog001=`231,333,036,012,PUSHBUTTON,"PushButton_OK",DEFAULT,"OK",1,10,32,DEFAULT,DEFAULT,DEFAULT` MyDialog002=`499,333,036,012,PUSHBUTTON,"PushButton_Cancel",DEFAULT,"Cancel",0,20,DEFAULT,DEFAULT,DEFAULT,DEFAULT` MyDialog003=`001,001,758,322,REPORTVIEW,"ReportView_1",arrEvents,DEFAULT,DEFAULT,30,2097152,DEFAULT,DEFAULT,"192|192|192"` ButtonPushed=Dialog("MyDialog") Exit
Article ID: W17808
Filename: Query EventLogs.txt
File Created: 2013:05:08:14:31:28
Last Updated: 2013:05:08:14:31:28