I have googled lots of possible answers with no luck. I am trying to extract the following from the Event Log (pseudo-code):
select events
where
event date/time between FromDateTime and ToDateTime
and
((Level<=2) // error, critical only
or
((Level<=x) and Provider[Name] in a specific list) // any messages for these apps
)
(The second "Level" expression is to allow the user to specify whether to include Informational messages or limit to Warnings and above, so I can't just discard it.)
The following is the (latest) expression I am trying to use - unsucessfully.
string queryString =
"*[System[TimeCreated[@SystemTime>='" + dFrom + "' and @SystemTime<='" + dTo + "']]] " +
" and " +
"(*[System[Level<=2]]" +
" or " +
" ( " +
" *[System[Provider[@Name='<1st name>' or @Name='<2nd name>' or @Name='<3rd name>]] " +
" and " +
"System[Level<=" + maxLevel.ToString() + "]]" +
")" +
");"
Am I trying to make an expression that is too hard for the Event Log query evaluator, or do I just have a simple error in the expression? I have been trying various forms of the expression. It appears that the "Level" filters are just being ignored, but why?
*** ARRGGHH!! - I think I found it. The Event Log Level enumeration is:
1 - Critical alert
2 - Error
3 - Warning
4 - Informational
5 - Logs at all levels
... and ...
0 - Undefined - indicates logs at all levels
It turns out that some of the "Information" log entries from Microsoft components use Level 0 instead of 4, so these are being picked up by the filter. My assumption that log entries (especially Microsoft's) would use the appropriate Level was false.
I will need to explicitly look for (Level=1 or Level=2) - Level <= 2 will pick up various Microsoft "Information" log entries.
For anyone interested - the final working query is:
*[System[TimeCreated[@SystemTime>='2018-07-30T17:22:30.000Z'
and @SystemTime<='2018-07-30T20:22:30.000Z']
and (Level=1 or Level=2 or
(Provider[@Name='Application Error' or @Name='Application Hang']
and (Level=1 or Level=2 or Level=3 or Level=4)))]]