Using this dialog window, you can specify the criteria for Filter, Find and Bookmark by Criteria command.
Apply filter to defines the views the filter will affect.
Active event log view - if checked, the filter will be applied to the active event log view only.
Event log view(s) lets you select event views to filter.
Event Types defines a list of event types in the criteria. If you uncheck all, any event type will match this criteria.
Source, Category, User, Computer - define lists of sources/task categories/users/computers in the criteria.
Event IDs defines event IDs in the criteria. Refer to
Event ID Condition for more information.
Text in description lets you get events that contains the specified text in the event description. Tick RegExp checkbox if Text in description is a regular expression.
Date - if checked, Event Log Explorer will get events logged between From and To dates.
Time - if checked, Event Log Explorer will get events logged between From and To times.
Separately - if not checked, Event Log Explorer will use a single time interval From Date Time and To Date Time.
If checked, Event Log Explorer will get events that fall into date interval (from From Date to To Date) and also fall into time interval (from From Time to To Time). This is helpful for example, when you want to get the events that were generated during the working time.
Last dd days yy hours - Event Log Explorer will get the recent events logged during the last DD days and yy hours. Set these values to 0 to display all events.
Custom columns lets you get events based on custom column values. You can build condition by any custom columns. E.g. if you ran a task based on "Service Installed" task template, you may want to view the list of drivers installed in the system that start automatically with the system. You can set such a condition to fulfill this goal:
|
Name
|
Operator
|
Value
|
|
Custom column 1
|
|
|
|
Custom column 2
|
Equal
|
kernel mode driver
|
|
Custom column 3
|
Equal
|
system start
|
|
Custom column 4
|
|
|
|
Custom column 5
|
|
|
Description params lets you create conditions based on formatted description parameters.
E.g. - you have an event (eventid: 4688) with description:
A new process has been created.
Subject:
Security ID: S-1-5-21-1388292303-2233603710-2753204785-1005
Account Name: Bob
Account Domain: FSPRO
Logon ID: 0x1af38
Process Information:
New Process ID: 0x23b0
New Process Name: C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE
Token Elevation Type: TokenElevationTypeLimited (3)
Creator Process ID: 0x8fc
Let's say that we want to get all events where user Bob starts Excel.
In this case our filter by params should look like:
|
Name
|
Operator
|
Value
|
|
Subject\Account Name
|
Equal
|
Bob
|
|
Process Information\New Process Name
|
Contains
|
excel.exe
|
The description params filter works only with the descriptions formatted like the descriptions of security events. It is recommended to use Custom columns filter instead of Description params filter.
Case sensitive - if checked, Event Log Explorer will perform a case-sensitive comparison for event description, custom columns and description params. Note that this feature doesn't affect regular expression matching. If you wish to enable case-sensitive regular expression matching, use the regular expression syntax: "(?-i)".
