2

Let's say I want to remove a single event from the view so I can view the rest. How do I accomplish this? This is on a Server 2003 R2 box.

Bigbio2002
  • 2,823
  • 12
  • 35
  • 54

4 Answers4

3

By now (checked on Windows Server 2019) this is easily done by prefixing the ID with a minus sign (e.g to exclude 1000 you would type -1000 in the event ID field)

gilad905
  • 438
  • 4
  • 6
3

EDIT: To answer your edited question, the easiest way I can think of is to sort your Event Log by Event ID, select everything except the events you want to exclude and then Save Selected Events to file. It will save as a single Event Log file, which you can then open with your Event Viewer, and won't have the events you didn't select.

Powershell's another option, especially if you want to do that for a large number of Event Logs, but I don't have an "exclude Event ID" PS script handy, so I'm not going to punch it up unless you ask nicely.

And the now not-quite relevant original answer is below.

Yes, it's pretty easy, but a little different depending on what version of Windows you're using.

Images below.

In 2008 or Windows 7:

enter image description here

In 2003 or XP:

enter image description here

You can even use PowerShell to parse your EventLogs for you based on any number of factors... but the built in filters are pretty good.

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
  • 2
    I should have phrased my question better... how do I view everything EXCEPT for a specific Event ID? – Bigbio2002 Jul 26 '12 at 19:10
  • I see. Well, Powershell script's one way, but depending on your scripting skills, you might find it easier to sort your log by Event ID, select everything *EXCEPT* the EventID you want to exclude and then save the selected events off to a file somewhere. It'll create an event log file, which you can then open with the Event Viewer. – HopelessN00b Jul 26 '12 at 19:21
  • 1
    It clearly said in the screenshot: "To exclude criteria, type a minus sign first." – Michael Hampton Jul 26 '12 at 19:22
  • @Michael see my comments on joeqwerty's post... – Bigbio2002 Jul 26 '12 at 19:23
  • 1
    @HopelessN00b, thanks anyways, but it looks like my event log was flooded with so many of these messages that it overwrote everything up til yesterday evening. That's a good workaround for the future though. – Bigbio2002 Jul 26 '12 at 19:27
  • @MichaelHampton Yeah, that only works for 2008/Win7. Pretty sure 2003 doesn't have that functionality, which makes those Event Logs all the more of a pain to deal with. – HopelessN00b Jul 26 '12 at 19:36
2

I had a very similar situation where I wanted to filter out an entire source instead of a single event ID. As it turns out, it's pretty easy and it works on anything: event level, event sources, task category, keywords, user, and computer.

Click "Filter Current Log", then select the things you want to filter out. If you don't want to see any information-level events, check "Information" next to Event level. If you don't want any events with the "Audit Success" keyword, select "Audit Success" under Keywords. In my case, I wanted to filter out everything from the Security-SPP source, so I selected it under Event sources.

Image example

Now, open the XML tab and check "Edit query manually". You'll see a <Select> element with a bunch of text in it.

Example:

<QueryList>
  <Query Id="0" Path="Application">
    <Select Path="Application">*[System[Provider[@Name='Microsoft-Windows-Security-SPP']]]</Select>
  </Query>
</QueryList>

Copy the opening <Select> tag and paste it right above the original <Select> element. Then, type an * and write a closing </Select> tag.

<QueryList>
  <Query Id="0" Path="Application">
    <Select Path="Application">*</Select>
    <Select Path="Application">*[System[Provider[@Name='Microsoft-Windows-Security-SPP']]]</Select>
  </Query>
</QueryList>

Finally, change the original <Select> element to a <Suppress> element by changing the opening and closing tags.

<QueryList>
  <Query Id="0" Path="Application">
    <Select Path="Application">*</Select>
    <Suppress Path="Application">*[System[Provider[@Name='Microsoft-Windows-Security-SPP']]]</Suppress>
  </Query>
</QueryList>

Click "OK" then BAM! All of the events that match that filter will disappear!

Before example

After example

Erin Stebbins
  • 21
  • 1
  • This helped me for my case a lot, thanks! Although, instead of using "suppress" I had success by simply changing "=" to "!=" EG: – aampere Sep 15 '22 at 17:35
0

I'm going to answer this as I interpreted it - how does one filter out specific event ID values.

Select the "XML" tab in the "Filter Current Log" option from "Actions" in the event viewer. Check the "Edit query manually" box.

A custom query can be made using XPath to filter out specific event ID's (or other properties for that matter). Here I am creating a filter for sysmon sourced events that filters out EventID 7 and 10:

 <QueryList>
   <Query Id="0" Path="Microsoft-Windows-Sysmon/Operational">
     <Select Path="Microsoft-Windows-Sysmon/Operational">*[System[(EventID!=7)or(EventID!=10)]]</Select> 
   </Query>
 </QueryList>

Once XPath is utilized, one cannot revert back to the old wizard/GUI based editor, but it offers a lot more flexibility for filters as any XPath operator can be used.

Shrout1
  • 363
  • 2
  • 7
  • 18