DiscountASP.NET

IIS 7 Event log filter

When IIS 7 was introduced one of the key features I dug in to was the Windows Event Log.   The Windows Event Log is the new version of Event Viewer.  The Event Viewer is a record of the activities on the server.  One key attribute I like about the Windows Event Log is the Filter feature.  At first glance the Filter feature appears similar to the old Event Viewer’s View/Find feature.  It has the same criteria to choose from.  Personally I found it limiting.  But with IIS 7, the find and filter feature is XML based.  This means you can access the XML query string and modify it to be more specific to your needs.  Very Nice!

By default Windows Event Log has more logs than its predecessors, but if you wish you can define your own logs for the OS to track.  Windows Event Log still records three of the core activities of the operating system; they are Application, Security, and System.

To me, the coolest thing about Windows Event Log is the XML base which you can access and modify.  Here is an example.  Say you want to find a specific instance in the System Log.  You know the event ID and the text (could be a word or phrase in the body of the log).  In the default Filter options it gives you the option to look for it with the event ID but not narrow it down to what is inside the body of the log.  This is where you will go to the ‘XML’ tab click on ‘Edit Query Manually’ and type your specified query.  Here is an example.

 <QueryList>
   <Query Id="0" Path="System">
     <Select Path="System">*[System[(EventID=1234)]] and *[EventData[Data="Some phrase"]]</Select>
   </Query>
 </QueryList>

The Path=”System” will query the System log.  If you change it to Security or Application it will query those logs.  The System[(EventID)] element is the event ID element, and of course the EventData[Data] element is the body of the text within the specific log.

If you want to look at all the XML elements attribute within the log, simply open one of the logs, click on one of the entries that is recorded, and then click on the Details tab.  You’ll get two options; either Friendly View or XML View.  If you choose XML view you will see the elements within that XML query and you can use those elements to define your specified query.

Also pay attention to the word ‘and’ in my query.  That lets you specify multiple elements so that you can pin point the records you are looking for in the Windows Event Log.  Then you can save your filter for later use.

Now, isn’t that nifty?

Raymond Penalosa
Technical Support

Exit mobile version