Filter Event Viewer Logs By Source Name | Log collection solutions

#1 jselormey 8 years ago

Greetings,

I'm trying to filter event viewer logs by the source name using the following configuration:

<Input EventLog>
Module im_msvistalog
Query <QueryList>\
<Query Id="0">\
<Select Path="Application">*</Select>\
<Select Path='System'>*[System[(SourceName="Service Control Manager")]]</Select>\
</Query>\
</QueryList>
</Input>

However it's not working. When I try and filter by Event ID that works no problem. Any assistance would be much appreciated.

Permalink

#2 adm Nxlog ✓ 8 years ago

#1 jselormey

Greetings, I'm trying to filter event viewer logs by the source name using the following configuration: <Input EventLog> Module im_msvistalog Query <QueryList>\ <Query Id="0">\ <Select Path="Application">*</Select>\ <Select Path='System'>*[System[(SourceName="Service Control Manager")]]</Select>\ </Query>\ </QueryList> </Input> However it's not working. When I try and filter by Event ID that works no problem. Any assistance would be much appreciated.

SourceName is an NXLog field name and I don't think it can be used in the XPath query. Provider refers to that, so the following should do what you want (untested though):

<Select Path="System">*[System[Provider[@Name='Service Control Manager']]]

Note that you should be able to test the XML queries in Event Viewer. If it works there, you can just copy paste that to nxlog.conf (while making sure to add backslashes as needed).

Alternatively you can use NXLog's language to filter the data:

Exec if $SourceName != 'Service Control Manager' drop();