Advanced Event Log Filtering

Event Log Viewer Advanced Filtering
Event Log Viewer Advanced Filtering

Event Log Viewer‘s Advanced Filtering allows you to filter the events based on their

  • Level (Information, Warning, Error, etc)
  • Event ID (Include and Exclude both separated to avoid common mistakes and confusion)
  • DateTime of the Event
  • Provider
  • Category
  • Description (Which is not available in the native Windows Event Viewer Application)

Filtering Event logs based on the Levels

You can filter events to include events from one or more levels. Event levels are the indicator of the type of the event. For Example, you might be interested in only seeing the error or critical events on the system. By checking the respective check boxes, you will be able to see events for selected levels. It goes beyond the basic event levels and also shows the actual levels of the events like Verbose and LogAlways so that you know what exactly is the level of the particular event for more granular filtering.

Filtering Event logs based on the Event ID’s

There are 2 types of filters available for you to filter based on the Event ID’s. Include and Exclude. This gives you more control over which event id’s to include and exclude. You can use these filters individually or in combination to make it easy to filter the event logs. Both the filter options are provided separately to avoid common mistakes and confusion while filtering the events.

Filtering Event logs based on Event Log DateTime

There are predefined time based filters available for you to choose from or you can filter the events based on the specific time period. If you apply time correction, the time filters will be based on the time correction settings you have applied. This is to avoid any confusion or requirement of manual time conversion which can be tedious at times. (Most of the times 🙂 )

Filtering Event logs based on the Provider and Category

This is one of the advanced filters you can use to filter the Event logs. You can choose one or more Providers and Categories of the events to show the events of your liking. This provides you a way to see only events of specific category/from specific provider and focus your investigation around it. Windows Event Viewer does not always give you this option and it is not available when reviewing saved event log files. The list of categories show the name of the category if available and the category ID (as defined by window event tracing internally and used). A common mistake would be to assume that these are the number of events available for each category which is not true. For that, you can view the Event Log Statistics which has a rich set of statistical data for the loaded event log.

Filtering Event logs based on the Description

There might be a need for you to see the events only containing or non-containing a specific text. It also has more filtering options like “starts with”, “ends with” and “equals”. This gives you more control over the filtering of the events. The description filters are applied on top of existing filters which you have set hence it is always recommended to specify any other filters if possible before using the description filter as it is time consuming operation if there are a lot of events it needs to search from. You can also specify if you only want to search within xml contents of the event which are quick to fetch and hence, the overall description filter runs faster. However, it is possible that the event XML does not always contains the text you want. It is advised to search using this option and if you do not find the results to your satisfaction, perform a description filtering unchecking this option.

Event Log Viewer Description Filter Options

Things to know about filtering

The filters based on Level, ID, Time, Provider and Category are faster in comparison with the filter based on the description. The native windows event log filtering is used while fetching the events based on these attributes however the description filter is applied after the events are fetched from the event source. If you want to apply description filters and already know any of the above attributes for these events, it is recommended to apply that filter as well as then the description filter will have less events to go through while applying the filter. You can also make use of option “Search in XML Data Only (Faster)” which only searches within the event XML. The information you are looking for can be found in the event XML most of the times however some times it might not be available. Always check the event xml before you use this option to know the event XML contains the text you need.