Introduction:
I want to talk about how to filter events from the custom views in windows event viewer; that will give you more ability to drill down and give you more advance filtration options using C# Code.
Below is an example how to use the same custom view and setting the options in your server side code.
Walkthrough Scenario:
Querying the custom view needs to create a dynamic XML Query; a good start to generate the basic XML Query is by generating one using the event viewer:
Now the extra filtration will be using the Event Level and the Time Generated:
queryString = "<QueryList>" + "<Query Id="0" Path="Microsoft-Windows-Application Server-System Services/Admin">" + "<Select Path="Microsoft-Windows-Application Server-System Services/Admin">*[System[Provider[@Name='Microsoft-Windows-Application Server-System Services' or @Name='Microsoft-Windows-Application Server-System Services Event Collector' or @Name='Microsoft-Windows-Application Server-System Services Hosting' or @Name='Microsoft-Windows-Application Server-System Services IIS Manager' or @Name='Microsoft-Windows-Application Server-System Services Power Shell' and *[System[(" + ddlFilterByType.SelectedItem.Value.ToString() + ") and TimeCreated[timediff(@SystemTime) <= " + ddlFilterByTime.SelectedItem.Value.ToString() + "]]]]]]</Select> " + "<Select Path="Microsoft-Windows-Application Server-System Services/Debug">*[System[Provider[@Name='Microsoft-Windows-Application Server-System Services' or @Name='Microsoft-Windows-Application Server-System Services Event Collector' or @Name='Microsoft-Windows-Application Server-System Services Hosting' or @Name='Microsoft-Windows-Application Server-System Services IIS Manager' or @Name='Microsoft-Windows-Application Server-System Services Power Shell' and *[System[(" + ddlFilterByType.SelectedItem.Value.ToString() + ") and TimeCreated[timediff(@SystemTime) <= " + ddlFilterByTime.SelectedItem.Value.ToString() + "]]]]]]</Select> " + "<Select Path="Microsoft-Windows-Application Server-System Services/Operational">*[System[Provider[@Name='Microsoft-Windows-Application Server-System Services' or @Name='Microsoft-Windows-Application Server-System Services Event Collector' or @Name='Microsoft-Windows-Application Server-System Services Hosting' or @Name='Microsoft-Windows-Application Server-System Services IIS Manager' or @Name='Microsoft-Windows-Application Server-System Services Power Shell' and *[System[(" + ddlFilterByType.SelectedItem.Value.ToString() + ") and TimeCreated[timediff(@SystemTime) <= " + ddlFilterByTime.SelectedItem.Value.ToString() + "]]]]]]</Select> " + "</Query>" + "</QueryList>";
*[System[(" + ddlFilterByLevel.SelectedItem.Value.ToString() + ") and TimeCreated[timediff(@SystemTime) <= " + ddlFilterByTime.SelectedItem.Value.ToString() + "]]]
The values for the dropdown list to filter by level will be set as the following:
<asp:DropDownList ID="ddlFilterByType" runat="server" Height="16px" Width="160px"> <asp:ListItem Text="All Levels" Value="0,1,2,3,4,5" /> <asp:ListItem Text="Critical" Value="Level=1" /> <asp:ListItem Text="Error" Value="Level=2" /> <asp:ListItem Text="Warning" Value="Level=3" /> <asp:ListItem Text="Information" Value="Level=4" /> <asp:ListItem Text="Verbose" Value="Level=5" /> </asp:DropDownList>
The values for the dropdown list to filter by Time will be set as the following:
<asp:DropDownList ID="ddlFilterByTime" runat="server" Width="160px"> <asp:ListItem Text="Any Time" Value="0" /> <asp:ListItem Text="Last Hour" Value="3600000" /> <asp:ListItem Text="Last 12 Hours" Value="43200000" /> <asp:ListItem Text="Last 24 Hours" Value="86400000" /> <asp:ListItem Text="Last 7 Days" Value="604800000" /> <asp:ListItem Text="Last 30 Days" Value="2592000000" /> </asp:DropDownList>
Now we need to initialize an instance of the EventLogReader by specifying and EventLogQuery:
EventLogQuery eventsQuery = new EventLogQuery("Application", PathType.LogName, queryString); EventLogReader logReader = new EventLogReader(eventsQuery);
Read the EventLogReader by looping through the EventRecord:
for (EventRecord Instance = logReader.ReadEvent(); null != Instance; Instance = logReader.ReadEvent()) { String EventID = Instance.Id.ToString(); }
