Use the Microsoft Event Viewer to create custom views, which can filter events for severity, source, category, keywords, or specific users.
About this task
WinCollect sources can use XPath filters to
capture specific events from your logs. To create the XML markup for your XPath Query parameter, you
must create a custom view.
Note: You must log in as an administrator to use Microsoft Event Viewer.
Procedure
-
Click .
- Type the following command:
Eventvwr.msc
- Click OK.
- If you are prompted, type the administrator password and press Enter.
- Click Action > Create Custom View.
Tip: When you create a custom view, do not select a time range from the
Logged list. The Logged list includes the
TimeCreated element, which is not supported in XPath queries for the WinCollect protocol.
- In Event Level, select the severity of events that you want to
include in your custom view.
- Select an event source from the Event sources menu, or browse to a source from the
Event logs menu.
- Type the event IDs to filter from the event or log source.
Tip: Use commas to separate IDs. The following list contains an individual ID and a
range: 4133, 4511-4522
- From the Task Category list, select the categories to filter from
the event or log source.
- From the Keywords list, select the keywords to filter from the
event or log source.
- Type the username to filter from the event or log source.
- Type the computer or computers to filter from the event or log source.
- Click the XML tab.
- Create a Windows Event Source with an XPath
Channel and paste the XPath into the UI.
- Using more than 10 XPath queries can affect WinCollect performance, depending on the XPath and
the number of events that are coming into each channel.
- Filtering events by a time range can lead to errors in collecting events.