Event Viewer Filters Part 2

Still playing with the Event Viewer, I’ve written a bunch of custom filters that give a great insight into how Cognos is behaving, especially around monthly patching.

I’ve saved these queries on my local machine and use them against all our servers by right-clicking on the event viewer root and ‘Connect to another computer’.

Cognos Service
This query shows activity of the ‘IBM Cognos’ service

<QueryList>
  <Query Id="0" Path="System">
    <Select Path="System">*[System[Provider[@Name='Service Control Manager'] and (EventID=7036)]]
	and
	*[EventData[Data[@Name='param1'] and Data='IBM Cognos']]
	</Select>
  </Query>
</QueryList>

Server Restarts
USER32 events appear to show all restarts against the server

<QueryList>
  <Query Id="0" Path="System">
    <Select Path="System">*[System[Provider[@Name='USER32']]]
	</Select>
  </Query>
</QueryList>

Windows Updates (Patches)
This event shows me all Patches being applied to the server

<QueryList>
  <Query Id="0" Path="Microsoft-Windows-WindowsUpdateClient/Operational">
    <Select Path="Microsoft-Windows-WindowsUpdateClient/Operational">*[System[Provider[@Name='Microsoft-Windows-WindowsUpdateClient']]]</Select>
    <Select Path="System">*[System[Provider[@Name='Microsoft-Windows-WindowsUpdateClient']]]</Select>
    <Suppress Path="Microsoft-Windows-WindowsUpdateClient/Operational">*[System[(EventID=40)]]</Suppress>
    <Suppress Path="System">*[System[(EventID=40)]]</Suppress>
  </Query>
</QueryList>

0 Comments

You can be the first one to leave a comment.

Leave a Comment