Home
Event Log Explorer Help Prev Page Prev Page
Welcome
Introduction
Using Event Log Explorer (Basics)
Opening Event Log
Opening Event Log Files
Viewing Event Logs
Viewing Event Properties
Sending Event Log to Printer
Event Log Explorer Concept
Workspaces
Computers Tree
Log Views
Log API
Advanced use
Filtering events in Event Log Explorer
Pre-filtering events (log loading options)
XML Query Filter
General Filter
Quick Filter
Linked event filter
Bookmarking events
Exporting Event Logs
Backing up Event Logs
Save Event Log As File
Automatic Event Log Backup
Backup batch
Add Computers Wizard
Log properties
Credential manager
Analytical reports
Event Alerter
Custom columns
Computer properties
Color coding
Task scheduler
Command line options
Preferences
General
Log View Defaults
Log Loading Options
Appearance
Workspace
Confirmations
Log files
Print
Updates
User interface elements
Main menu and toolbar
Event Log View
Event list
Control toolbar
Description box
Event list context menu
Computers Tree
Add Computer to Tree
Add Group to Tree
Remove Computer or Group
Sorting Items in Tree
Computers tree context menu
Filter/Search Window
Select computer dialog
Peer-to-peer network issues
Tools
Event log backup utility
License Agreement

Custom columns

Custom columns options allow you to add your own columns to the event list.

This feature is mostly helpful for Security event logs when you need to display some information from the event description, e.g. Account name, User logon name, file name, process name etc.

To display Custom column dialog box, select View->Custom Columns from the main menu of the program or right click on a column title in the event list and then select Custom Columns.

Event Log Explorer lets you add up to 5 custom columns. Just click on Colmn# (# is a column number) in the top of the dialog to add a specific column.

Load preset fills the column from a saved preset.

Column title. Input display name of the column.

Event source, Event ID(s). Input source name and Event IDs for which custom column will be calculated. If you leave these fields empty, Event Log Explorer will try to calculate custom column for each event.

Value. Input how Event Log Explorer will calculate value of the custom column.
You should use description parameters in this field. Descriiption parameters are enclosed in curly brackets.
Let's say you want to display user logon name from the followin event description


An account was successfully logged on.
Subject:
        Security ID:            S-1-5-18
        Account Name:           MIKE-HP$
        Account Domain:         FSPRO
        Logon ID:               0x3e7
Logon Type:                     5
New Logon:
        Security ID:            S-1-5-21-1388294503-2733603710-2753204785-1000
        Account Name:           Michael
        Account Domain:         FSPRO
        Logon ID:               0x13a0091e
        Logon GUID:             {00000000-0000-0000-0000-000000000000}
Process Information:
        Process ID:             0x2f8
        Process Name:           C:\Windows\System32\services.exe
Network Information:
        Workstation Name:       MIKE-HP
        Source Network Address: -
        Source Port:            -
Detailed Authentication Information:
        Logon Process:          Advapi  
        Authentication Package: Negotiate
        Transited Services:     -
        Package Name (NTLM only):       -
        Key Length:             0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
        - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
        - Transited services indicate which intermediate services have participated in this logon request.
        - Package name indicates which sub-protocol was used among the NTLM protocols.
        - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
You need to get information from New Logon->Account Name.
So just input {New Logon\Account Name}

You can also specify a description parameter by index. This is helpful if you have localized version of event descriptions. To specify the parameter by index, just use input PARAM[index]. E.g. to get Account name, input
{PARAM[6]}

You can input as many parameters as you wish. E.g. if you want to display user name as DOMAIN\ACCOUNT NAME, you should set value to
{PARAM[7]}\{PARAM[6]}
or
{New Logon\Account Domain}\{New Logon\Account Name}

 

Clear column clears this column.

Load column loads this column or all columns from a file.

Save column saves this column or all columns into a file.

 

 

See also: Filter by description params

 

 

 © 2005-2015 FSPro Labs. All rights reserved.

Converted from CHM to HTML with chm2web Pro 2.85 (unicode)