Home
Event Log Explorer Help Prev Page Prev Page
Welcome
Introduction
Using Event Log Explorer (Basics)
Opening Event Log
Opening Event Log Files
Viewing Event Logs
Viewing Event Properties
Sending Event Log to Printer
Event Log Explorer Concept
Workspaces
Computers Tree
Log Views
Log API
Advanced use
Filtering events in Event Log Explorer
Pre-filtering events (log loading options)
XML Query Filter
General Filter
Quick Filter
Linked event filter
Bookmarking events
Exporting Event Logs
Backing up Event Logs
Save Event Log As File
Automatic Event Log Backup
Backup batch
Add Computers Wizard
Log properties
Credential manager
Analytical reports
Event Alerter
Custom columns
Computer properties
Color coding
Task scheduler
Command line options
Preferences
General
Log View Defaults
Log Loading Options
Appearance
Workspace
Confirmations
Log files
Print
Updates
User interface elements
Main menu and toolbar
Event Log View
Event list
Control toolbar
Description box
Event list context menu
Computers Tree
Add Computer to Tree
Add Group to Tree
Remove Computer or Group
Sorting Items in Tree
Computers tree context menu
Filter/Search Window
Select computer dialog
Peer-to-peer network issues
Tools
Event log backup utility
License Agreement

Linked Event Filter

Sometimes Windows or other software generate several events for one logical operation. E.g. "file delete" operation generates a set of linked events in Windows security event log:
1) Object handle requested;
2) Attempt to access the object;
3) Object Deleted;
4) Object Closed.

 

If you need to display all Object Deleted events, you should filter Windows security log by Event ID = 4660.

A typical description of Event 4660 is as follows:

 An object was deleted.
Subject:
        Security ID:            S-1-5-21-2153856534-97633110-1224965316-1000
        Account Name:           Michael
        Account Domain:         TEST
        Logon ID:               0x22183
Object:
        Object Server:  Security
        Handle ID:      0xc04
Process Information:
        Process ID:     0x930
        Process Name:   C:\Windows\explorer.exe
        Transaction ID: {00000000-0000-0000-0000-000000000000}    

As you can see, it does not list object name, so you don't know what file was deleted.

But it contains Handle ID of the object. Previous events (4663 and 4656) let you resolve object name from handle.

E.g. Event 4656:

A handle to an object was requested.
Subject:
        Security ID:            S-1-5-21-2153856534-97633110-1224965316-1000
        Account Name:           Michael
        Account Domain:         TEST
        Logon ID:               0x22183
Object:
        Object Server:          Security
        Object Type:            File
        Object Name:            C:\TEST\File.txt
        Handle ID:              0xc04
Process Information:
        Process ID:             0x930
        Process Name:           C:\Windows\explorer.exe
Access Request Information:
        Transaction ID:         {00000000-0000-0000-0000-000000000000}
        Accesses:               DELETE
                                ReadAttributes
                                
        Access Reasons:         DELETE: Granted by      D:(A;ID;0x1301bf;;;AU)
                                ReadAttributes: Granted by      D:(A;ID;0x1200a9;;;BU)
                                
        Access Mask:            0x10080
        Privileges Used for Access Check:       -
        Restricted SID Count:   0
    

Here you can see that Handle ID:0xc04 is "C:\TEST\File.txt"

 

You might notice that event 4663 already contains Accesses: DELETE and you could filter by "Event ID = 4656" and "Description contains "Accesses: DELETE". However you should not rely on 4656 or 4663 events - file system may just prohibit file removal and you will get inaccurate result.

 

Linked Event Filter helps you to automate linking events by event id and description data and filter them.


To display Linked Event Filter dialog, select Advanced->Linked Event Filter from the main menu.

Base Event ID defines base (bearing) event ID. For the example above, it would be 4660.

Linked Event ID defines event ID of linked events. It would be 4656 (or 4663) for our example.

Linking Param defines a linking key from event description.

You can define it as Level1\Level2

E.g. if event description contains:

Key1:
        Key11:          Value1
        Key12:          Value2
Key2:
        Key22:          Value3

Here you can refer to Value 1 as Key1\Ket11, to Value 2 - Key1\Key12...

In out example Linking Param would be Object\Handle ID.

Depth (events) and Depth (milliseconds) define scan depth for linked event from the base event. Typically it should not exceed 10 events.

Exclude base eventbase event - if enabled, base event will not be displayed in the filtered view (only linked events will be displayed).

How it works

1. Event log view is scanned from top to bottom (this means that commonly you should sort events from newest to oldest).

2. When the base event found, the program gets linked param value and starts an inner scan  for linked event id with the same value of linked param. This inner scan is limited by depth.

3. If the linked event was found it will be displayed in the result set. Base event will be displayed unless Exclude base event was checked.

Note: Linked event filter is not saved in the program workspace file.

 

See also:

Filtering events in Event Log Explorer

 

© 2005-2015 FSPro Labs. All rights reserved. reserved.

Converted from CHM to HTML with chm2web Pro 2.85 (unicode)