(imported topic written by Vosh)
I’m trying to identify certain events in the Windows application event log. I’m using very simple relevance which I’ll iterate in a moment. The problem is the relevance works just fine for some event ID’s but not others and I can’t figure out why that would be.
Ultimately what I would like to track is this, using event ID 6005 to identify relevant systems, on which I then read the results in seconds of the 6006 event.
Application log
Event ID 6005 from Winlogon
The winlogon notification subscriber is taking long time to handle the notification event (Logon).
Application log
Event ID 6006 from Winlogon
The winlogon notification subscriber took 553 second(s) to handle the notification event (Logon).
However in testing I get false results for event ID’s that are present in the log, 2 examples are below.
Version of TEM Server, Relays, and Client - 9.0.787
Example: In FIxlet Debugger
exists records whose (event id of it = 1033) of application event log
Result = True, this works.
Log Name: Application
Source: MsiInstaller
Date: 10/21/2013 10:10:34 AM
Event ID: 1033
Task Category: None
Level: Information
Keywords: Classic
User: …
Computer: …
Description:
Windows Installer installed the product. Product Name: VmciSockets. Product Version: 9.1.55.1. Product Language: 1033. Manufacturer: VMware, Inc… Installation success or error status: 0.
Event Xml:
<Provider Name="MsiInstaller" />
<EventID Qualifiers="0">1033</EventID>
<Level>4</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2013-10-21T14:10:34.000000000Z" />
<EventRecordID>51641</EventRecordID>
<Channel>Application</Channel>
<Computer>...</Computer>
<Security UserID="S-1-5-21-740110469-2700379406-3212024746-401714" />
<Data>VmciSockets</Data>
<Data>9.1.55.1</Data>
<Data>1033</Data>
<Data>0</Data>
<Data>VMware, Inc.</Data>
<Data>(NULL)</Data>
<Data>
</Data>
But if I were to try the following;
exists records whose (event id of it = 32) of application event log
Result=False, this does not work.
I could go through several examples where some event ID’s will return correctly as true and others will report false even though they are present in the log. The example of event ID 32 I’ll paste below.
Log Name: Application
Source: Outlook
Date: 10/21/2013 8:59:01 AM
Event ID: 32
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: …
Description:
The store D:\Backup\archive.pst has detected a catalog checkpoint.
Event Xml:
<Provider Name="Outlook" />
<EventID Qualifiers="16384">32</EventID>
<Level>4</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2013-10-21T12:59:01.000000000Z" />
<EventRecordID>51623</EventRecordID>
<Channel>Application</Channel>
<Computer>...</Computer>
<Security />
<Data>D:\Backup\archive.pst</Data>
Any thoughts on what the issue could be here?
Thanks!
