Linked event filter helps you to automate linking events by custom fields and filter them.
To start using Linked filter you should add custom columns to the list.
To display Linked Event Filter dialog select Advanced->Linked Event Filter from the main menu.
Example
Sometimes Windows or other software generate several events for one logical operation. E.g. "file delete" operation generates a set of linked events in Windows security event log:
1) Object handle requested;
2) Attempt to access the object;
3) Object Deleted;
4) Object Closed.
If you need to display all Object Deleted events, you should filter Windows security log by Event ID = 4660.
A typical description of Event 4660 is as follows:
An object was deleted.
Subject:
Security ID: S-1-5-21-2153856534-97633110-1224965316-1000
Account Name: Michael
Account Domain: TEST
Logon ID: 0x22183
Object:
Object Server: Security
Handle ID: 0xc04
Process Information:
Process ID: 0x930
Process Name: C:\Windows\explorer.exe
Transaction ID: {00000000-0000-0000-0000-000000000000}
As you can see, it does not list object name, so you don't know what file was deleted.
But it contains Handle ID of the object. Previous events (4663 and 4656) let you resolve object name from handle.
E.g. Event 4656:
A handle to an object was requested.
Subject:
Security ID: S-1-5-21-2153856534-97633110-1224965316-1000
Account Name: Michael
Account Domain: TEST
Logon ID: 0x22183
Object:
Object Server: Security
Object Type: File
Object Name: C:\TEST\File.txt
Handle ID: 0xc04
Process Information:
Process ID: 0x930
Process Name: C:\Windows\explorer.exe
Access Request Information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: DELETE
ReadAttributes
Access Reasons: DELETE: Granted by D:(A;ID;0x1301bf;;;AU)
ReadAttributes: Granted by D:(A;ID;0x1200a9;;;BU)
Access Mask: 0x10080
Privileges Used for Access Check: -
Restricted SID Count: 0
Here you can see that Handle ID:0xc04 is "C:\TEST\File.txt"
You might notice that event 4663 already contains Accesses: DELETE and you could filter by "Event ID = 4656" and "Description contains "Accesses: DELETE". However you should not rely on 4656 or 4663 events - file system may just prohibit file removal and you will get inaccurate result.
Linked Event Filter helps you to automate linking events by event id and description data and filter them.
First you need to create custom columns for events 4660 and 4656. It is enough to create only one custom field since Handle ID has the same field name (HandeID for both events).
To display Linked Event Filter dialog, select Advanced->Linked Event Filter from the main menu.
Base Event ID defines base (bearing) event ID. For the example above, it would be 4660.
Linked Event ID defines event ID of linked events. It would be 4656 (or 4663) for our example.
Base custom column and Linked custom column define custom column names to link. In our example it's the same custom column.
Depth (events) and Depth (milliseconds) define scan depth for linked event from the base event. Typically it should not exceed 10 events.
Exclude base event - if enabled, base event will not be displayed in the filtered view (only linked events will be displayed).
How it works
1. Event log view is scanned from top to bottom (this means that commonly you should sort events from newest to oldest).
2. When the base event found, the program gets a base value of the base custom column value and starts an inner scan for the linked custom column with the same base value. This inner scan is limited by depth.
3. If the linked event was found, it will be displayed in the result set. Base event will be displayed unless Exclude base event was checked.
Notes:
Linked event filter works slowly, so you may need to prefilter event list before using linked filter.
Event Log Explorer does not save linked filter into the workspace file.
