How to write proper XPath query for filtering certain application pool errors in Windows 2008 R2 Event log ("Applications" section)

Question

does someone know how to write proper XPath query for filtering certain application pool errors in Windows 2008 R2 Event log ("Applications" section)?

EventData in XML view from Application eventlog does not containt data descriptions:

Event from Application:

- <EventData>
  <Data>3005</Data> 
  <Data>An unhandled exception has occurred.</Data> 
  <Data>2011-04-30 13:53:42</Data> 
  <Data>2011-04-30 11:53:42</Data> 
  <Data>38b8155b8def46c2b326776135f21ab6</Data> 
  <Data>1520</Data> 
  <Data>469</Data>
  <Data>w3wp.exe</Data> 
  <Data>SERVERNAME\usernamefromwebsiteapplicatiopool</Data> 
  <Data>NullReferenceException</Data>

Event from Security:

 <EventData>
  <Data Name="TargetUserSid">S-1-5-21-775773886-3418497561-2363255987-1293</Data> 
  <Data Name="TargetUserName">someusername</Data> 
  <Data Name="TargetDomainName">servername</Data>

Does anyone have any idea how to write XPath query (I want to create custom view) to filter event log entries from Application section which contains certain applicationpool username (in this example it is "SERVERNAME\usernamefromwebsiteapplicatiopool").

Thank you

score 0 · Accepted Answer · answered Apr 30 '11 at 16:27

0

I've solved my problem:

<QueryList>
 <Query Id="0" Path="Application">
  <Select Path="Application">*[EventData[(Data[17]='SERVERNAME\applicationpoolname')]]</Select>
 </Query>
</QueryList>

answered Apr 30 '11 at 16:27

GrZeCh

605
4
12
28

How to write proper XPath query for filtering certain application pool errors in Windows 2008 R2 Event log ("Applications" section)

1 Answers1

Linked