Filtering events in Event Viewer using a regex

2019-07-12 03:04发布

问题:

I have an event log with thousands of events. I want to make a custom filter or view which shows some of them. I want to filter them using a regex (or even just simple text match) on either the entire text of the XML (as text), or on a particular field. Event viewer does support ctl+f finding, but apparently you can't put that same find action into a custom view so it could be used every time.

  • Environment: Microsoft windows server 2012 standard
  • Program: event viewer

I've looked at creating a custom view, and am editing the XML source of the custom view properties to try to filter them.

The events look like this:

<Event xmlns="http://blahblah.com">
  <EventData>
    <Data>Blah smith blah
    </Data>
  </EventData>
</Event>

And I want to do the text match / regex on the Data field.

I've tried a lot of things like this:

<QueryList>
  <Query Id="0" Path="">
    <Select Path="">
       *[EventData[Data=regex("*smith*")]]
    </Select>
  </Query>
</QueryList>

as well as other lines like

*[EventData[Data="%smith%")]]
*[EventData[Data="%%smith%%")]]

But I get no result or an invalid XPath error.

How can I do this? I'd also be interested in just knowing the name for where I am. Is this full XPath, or does it have some specific Microsoft version name? How can I even get a list of the namespace that exists from within the *Event line? How can I get access to compile/runtime errors for whatever is interpreting my attempts at writing XPath?

I'd also accept solutions in the form of programs which connect to the Event Viewer API. It'd be better if they were easy to use & could be integrated with the program itself, but even a powershell version of event log filtering would be useful.

Overall I just want to filter some events out of the event log based on a regex (or just simple text matching) of their contents. Theoretically this should be easy to do - ctl+f find can do it, the events are stored on my local computer somewhere, and I have an apparently sophisticated custom view filter setup.

回答1:

Using powershell, there is an easy workaround:

Get-EventLog -logname Security | where-object { $_.Message -like 'testsite' } | format-table Message -wrap -autosize | Out-File C:\Users**username**\Desktop\out.txt

You need to specify your own logname, text to be searched and outfile path.

The "format-table Message -wrap -autosize" makes sure that your messages/exceptions won't be truncated. If you want to look up by another field other than Message, then replace "$_.Message" with the appropriate field name.

Cheers