Event Log Filtering. How do you remove a single entry from the log view?

[bchargnon]

I understand how to filter events in the event log on Windows 2000. If I
want to view event log entries tied to user "Bob", I can filter those by
placing Bob in the user field of the filter.

How do you tell filtering to show events from all users EXCEPT Bob? What is
the "not" character to tell it to do this?

Thanks

 

[Shetland Sheepdog]

Thanks. I'm aghast that Microsoft left off this kind of filtering ability.
I did discover a VB script called eventquery, but I couldn't get it to work.
Whatever event log it was trying to use didn't have any user information
assigned to it.

 

[Shetland Sheepdog]

How do you delete the filtered selections? The only delete that I can find
is delete everything.

Thanks

 

[Bryston Nitta [MSFT]]

You are correct. My earlier workaround was bogus.
Querying the Event Log with WMI is a good way to get the
information which you want.
A script like the following should print out all the
events in the System Log where the user is NOT Bob.

dim strComputer, objWMIService, colLoggedEvents
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer
& "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where Logfile = 'System'
and " _
& "User <> 'Bob'")

For Each objEvent in colLoggedEvents
Wscript.Echo "Category: " & objEvent.Category
Wscript.Echo "Computer Name: " & objEvent.ComputerName
Wscript.Echo "Event Code: " & objEvent.EventCode
Wscript.Echo "Message: " & objEvent.Message
Wscript.Echo "Record Number: " & objEvent.RecordNumber
Wscript.Echo "Source Name: " & objEvent.SourceName
Wscript.Echo "Time Written: " & objEvent.TimeWritten
Wscript.Echo "Event Type: " & objEvent.Type
Wscript.Echo "User: " & objEvent.User
wscript.Echo ""
wscript.Echo "---------------------------------------------
----"
wscript.Echo ""
Next

thx,
Bryston

This posting is provided "AS IS" with no warranties, and
confers no rights.

 

[Eric Fitzgerald [MSFT]]

On Windows XP+
eventquery -l security -v -fo csv -fi "user ne bob"
"ne" is the "not equals" operator.

On Windows 2000, you need the Resource Kit:
dumpel -l security -m security -c | findstr /i /v "bob"

Eric

--
Eric Fitzgerald
Program Manager, Windows Auditing
Microsoft Corporation

The above message is provided "AS-IS" with no warranties, and confers no
rights.

 

[Eric Fitzgerald [MSFT]]

By design, the event log does not support deletion of single events (this
would lead to an untrustworthy log). In our Longhorn release we're going to
add very rich query support; Event Viewer was designed years ago and no one
anticipated the richness of query that is needed nowadays.

Here's the EventQuery syntax for what you're looking for (Windows XP+).
EventQuery.vbs won't run on Windows 2000; there's a perl script
EventQuery.pl with some of the same functionality in the Windows 2000
Resource Kit.

C:\>eventquery /l security /v /fo csv /fi "user ne DOMAIN\BOB"

Eventquery.vbs supports AND and OR (multiple /fi switches are implicitly
ANDed), and puts double quotes around each field (which makes it much easier
to import into Excel for analysis).

Eric

--
Eric Fitzgerald
Program Manager, Windows Auditing
Microsoft Corporation

The above message is provided "AS-IS" with no warranties, and confers no
rights.