XML filtering within the Windows Event Viewer

Starting in the Windows Vista/Server 2008 time frame, an option was made available to modify or create a XML query to generate Custom Views within the Event Viewer.  To create a Custom View, access the Event Viewer application.  Right-click on the Custom Views subfolder and select the Create Custom View menu option.

Click on the XML tab and then on the Edit query manually checkbox.  Click on the Yes button within the warning dialog box.

Enter text for the XML query.  Below is some sample text to search the Security logs for the user account test:

 
   
       *[EventData[Data[@Name='SubjectUserName'] and (Data='test')]]
    
 

When finished, give the Custom View entry a name and description.

Queries can include AND/OR operators.

 
   
       *[EventData[Data[@Name='SubjectUserName'] and (Data='test' or Data=’testtwo’)]]
    
 

To find additional fields to query on, access the details of an event entry and click on the XML view.

The query below looks for events that any data or field equals test

 
   
       *[EventData[Data and (Data='test' )]]