Windows Event Log – How to Filter Logs with Wildcards

I haven't really tried to use custom event logs. But I have seen the problem you describe, with the same events appearing in more than 1 log. This can happen because event logs are memory mapped files, and if the total size of all event logs is greater than 300MB you will start to have issues.

See the 2nd or so page of this article:

http://technet.microsoft.com/en-us/library/cc722385%28WS.10%29.aspx

>On Windows XP-based computers, member servers, and stand-alone servers, the
>combined size of the Application, Security, and System logs should not exceed 300 MBs.

You can always use a powershell script and pass the XML through powershell's where function (supports -contains -like -match):

nv.ps1

$Query = @"
  <QueryList>
    <Query Id="0" Path="System">
      <Select Path="System">
        *[System[(EventID=20001)]]
      </Select>
    </Query>
  </QueryList>
"@

$events = Get-WinEvent -FilterXml $Query
ForEach ($Event in $Events) {
    # Convert the event to XML
    $eventXML = [xml]$Event.ToXml()
    Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name  DriverVersion -Value $eventXML.Event.UserData.InstallDeviceID.DriverVersion
    Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name  DriverDescription -Value $eventXML.Event.UserData.InstallDeviceID.DriverDescription
    Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name  Data -Value $eventXML.Event.EventData.Data
}
$Events | Select TimeCreated, Id, DriverDescription, DriverVersion, ProviderName, @{Name="MessageData";Expression={$_.Message + $_.Data}} | Where {$_.DriverDescription -match "NVIDIA GeForce GTX*"} | Out-GridView
pause

A cmd to launch it (nv.cmd):

powershell.exe -executionpolicy bypass "& '.\nv.ps1'"