Filter event viewer service control manager events using XML

2017-12-07T10:29:48+00:00 May 19th, 2011|Azure, Cloud, Windows|

Had a problem with a site in which I wanted to see if the event viewer had logged any instances of the Exchange System Attendant service stopping. Unfortunately these were buried in a long list of other services that were constantly starting and stopping under event id 7036.

What I had to was to edit the XLM query manually in “Filter Current Log…”. I then put in this query to show me every time the service had entered the running state:

<QueryList>
  <Query Id="0" Path="System">
    <Select Path="System">*[System[(Level=4 or Level=0) and (EventID=7036)]] and *[EventData[Data[1]=‘Microsoft Exchange System Attendant’ and Data[2]=‘running’]]</Select>
  </Query>
</QueryList>

This game me the filtered list of service events that only applied to when the Microsoft Exchange System Attendant service had entered the running state:

image

You can just copy and paste the XLM above to give you this output or simply change some of the options to custom it to look for any events for a particular service that you want to see.

If you want to get some more parameters to search then simply double click on the event ID that you want to filter, click on the details tab and select XLM view. This will give you a list of all of the details that you can search for:

image

Paul