{"id":84,"date":"2016-03-03T17:18:04","date_gmt":"2016-03-03T17:18:04","guid":{"rendered":"http:\/\/eventlogxp.com\/blog\/?p=84"},"modified":"2016-03-10T06:27:45","modified_gmt":"2016-03-10T06:27:45","slug":"once-again-about-custom-columns-extracting-details-from-application-or-system-event-logs","status":"publish","type":"post","link":"https:\/\/eventlogxp.com\/blog\/once-again-about-custom-columns-extracting-details-from-application-or-system-event-logs\/","title":{"rendered":"Once again about custom columns \u2013 extracting details from Application or System event logs"},"content":{"rendered":"

In my article “Exploring who logged on the system<\/a>“, I described how to add to the event list custom columns that display data\u00a0from the event description. Probably you might think that adding custom columns works for Security event logs only. Although we initially designed Custom columns feature exactly for Security logs (and referred them by name, e.g. Subject\\Account name), we made it possible to use it with any logs.<\/p>\n

Let’s take a typical system engineer or administrator task to discover faulty applications on the system. We will search for application error events. Such events are stored in Application event log, event source is “Application Error” and they are commonly registered with Event ID=1000.\u00a0Therefore, we need to open Application log, and refine its events:
\n\"application<\/a><\/p>\n

\"Application<\/a><\/p>\n

We can see that the description of event 1000\u00a0is not so well-structured as descriptions in\u00a0Security log:
\n\"App<\/a><\/p>\n

so it is impossible to refer description parameters by name.<\/p>\n

However, we can still refer these parameters by number as {PARAM[x]}.<\/p>\n

Look at the event description. The application name and its version is in the very beginning:<\/p>\n

Faulting application name: googledrivesync.exe, version: 1.27.1227.2094, time stamp: 0x509418e4<\/p><\/blockquote>\n

Most likely, we will refer app name as PARAM[1] and its version as PARAM[2], but let’s make sure.<\/p>\n

Double click on an event to get Event Properties and switch to XML tab.
\n\"app_error_XML\"<\/a><\/p>\n

Yes, we can see that googledrivesync.exe 1.27.1227.2094 are the first and the second parameters respectively.<\/p>\n

In this example, I will display app name and version number\u00a0in one column as googledrivesync.exe ver 1.27.1227.2094, but you can try 2 columns (for name and version #) or get rid of version number at all.
\nOpen Custom columns dialog (View->Custom columns).
\n\"App<\/a><\/p>\n

Title the column as Faulty app
\n<\/em><\/strong>Leave Event source and Event ID(s) blank (your log is filtered).
\nSet Value to {PARAM[1]} ver {PARAM[2]}
\n<\/em><\/strong>Press OK<\/strong> and enjoy the result!
\n\"Application<\/a><\/p>\n\"Facebook\"<\/a>\"twitter\"<\/a>\"reddit\"<\/a>\"pinterest\"<\/a>\"linkedin\"<\/a>\"mail\"<\/a>","protected":false},"excerpt":{"rendered":"

In my article “Exploring who logged on the system“, I described how to add to the event list custom columns that display data\u00a0from the event description. Probably you might think that adding custom columns works for Security event logs only. Although we initially designed Custom columns feature exactly for Security logs (and referred them by name, e.g. Subject\\Account name), we made it possible to use\u2026 Read More »<\/a><\/span><\/p>\n","protected":false},"author":2,"featured_media":94,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[44,41,39],"tags":[37,38,47,19,21],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/posts\/84"}],"collection":[{"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/comments?post=84"}],"version-history":[{"count":5,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/posts\/84\/revisions"}],"predecessor-version":[{"id":96,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/posts\/84\/revisions\/96"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/media\/94"}],"wp:attachment":[{"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/media?parent=84"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/categories?post=84"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/tags?post=84"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}