Event Viewer Filtering does not work – invalid query

eventviewerwindows-event-logwindows-server-2012-r2

First of all, I'd like to rant about how stupidly hard searching for something event logs, but I bet MS is not listening to me so that's about it.

My problem is this: I'm trying to find out all the events that have this value (0x84e9c0d) in the data portion of the event. However, the query editor tells me that "the specified query is invalid". What is wrong with this query? I've copied the code directly from https://blogs.technet.microsoft.com/askds/2011/09/26/advanced-xml-filtering-in-the-windows-event-viewer/

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security"> 
            *[EventData[Data and (Data=’0x84e9c0d′)]] 
         </Select>
  </Query>
</QueryList>

Best Answer

Pretty sure your problem is:

Data=’0x84e9c0d′

Those quote characters are mismatched and neither of those characters appear to be the single quote character (') that is expected.

Related Solutions

XPath Query – How to Filter Application Pool Errors in Windows 2008 R2 Event Log

I've solved my problem:

<QueryList>
 <Query Id="0" Path="Application">
  <Select Path="Application">*[EventData[(Data[17]='SERVERNAME\applicationpoolname')]]</Select>
 </Query>
</QueryList>

Windows Event Log – Unexpected Results from XML Query Filter

Try this:

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[(EventID=4608)]]</Select>
    <Suppress Path="Security">*[EventData[Data[@Name="TargetUserSid"] = "S-1-5-18"]]</Suppress>
  </Query>
</QueryList>

Related Topic