Thursday, January 14, 2021

Event Viewer XML Filtering by Source

There are situations where you wanted to exclude certain sources (event providers) when analyzing Windows Event Logs. For example, in figure 1 below, say you wanted to exclude events from Lib_SLP and still see the rest, how would you do that?

 

 

Figure 1. Source is Lib_SLP

 

First, head over to Details tab, XML View. Observe the XML structure - we are interested to the System | Provider elements. 

Figure 2. XML VIew

 

To filter out that provider, click on Filter Current Log.. and type the following:


Figure 3. XML Filter View



<QueryList>

  <Query Id="0" Path="Application">

    <Select Path="Application">

        *[System[Provider[@Name!="Lib_SLP"]]]

    </Select>

  </Query>

</QueryList>


REF: T:001



By at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Configuring TUN/TAP virtual network interface for use with QEMU on Xubuntu 24.04

Configuring TUN/TAP virtual network interface for use with QEMU on Xubuntu 24.04 I am planning to run qemu-system-ppc to play around QEMU ...