11

We have a legacy application running on a Windows Server 2008 VM from Azure that is spamming our windows event log every minute or so. I do not have access to the source for the bit of code that is writing to the event log, only the dll file. I cannot rewrite it either as it's a massive piece of software, as much as I'd like to.

So my question is... Is there anyway for me to block the event source for certain messages? Obviously, I don't want to block the whole event source from logging as it does log helpful stuff when it goes wrong, it's just this one particular message is clogging up our server log and getting quite annoying!

simonlchilds
  • 215
  • 1
  • 2
  • 7
  • I tried it on win 10 with the guid `{54849625-5478-4994-A5BA-3E3B0328C30D}`. I created a new key `[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Security\{9580d7dd-0379-4658-9870-d5be7d52d6de}]`. Then I added the `Enabled` DWORD with `0` value and the `LoggerName` string as `EventLog-Security`, but it's not blocked. – user412229 Apr 25 '17 at 10:10

3 Answers3

6

You can't stop logging for a specific event ID with the means of Windows, however you can change event viewer filter settings so that some items are not displayed if you want to, i.e. to create Custom View.

enter image description here

Volodymyr Molodets
  • 2,404
  • 9
  • 35
  • 52
  • This is great, thanks! I've actually created a custom view for just the service that spams excluding 'Information' logs which will be fine for now. The Application Log still will be spammed though. – simonlchilds Nov 16 '12 at 12:15
  • Yes, it will be, but you won't see it in your Custom View. – Volodymyr Molodets Nov 16 '12 at 12:18
  • I've got 10k items per day with that particular ID `1054` (Dell Command | Monitor) and it effectively reduces my log length to 3 days (20MB). What can I do other than increase the size to get meaningful logs? Can I write an automated task to remove that record? – Qwerty Apr 11 '22 at 22:53
2

yes you can...i'm gonna use the WLAN-AutoConfig event id 4001 warning

first, double click on the error/warning in event viewer and click on the details tab and write down the guid ({9580D7DD-0379-4658-9870-D5BE7D52D6DE})

now open up regedit and go to [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System \ {9580d7dd-0379-4658-9870-d5be7d52d6de}]

on the right where the registry entries are, look for "Enabled" which will be set to one, change that to 0. reboot two times for the entry to take effect. this has worked for me for three errors/warnings that can be ignored

this should work for windows vista, 7 and 8 and their respective windows server counterparts. i don't know about windows 10, but you can try

ErickC
  • 29
  • 1
  • didn't test for a prolonged period but it seems to work on windows 10 1809. It helped me to stop annoying messages which had been coming each second from WHEA-Logger about corrected hardware error. – Alex Jan 22 '19 at 22:56
  • I have also verified that this can be done on Windows 10 (as of 2020-12-04). I used this simple process to turn off several logs that were not essential and loading up the event viewer with thousands of lines over several days. It helped considerably because I can now focus on real issues instead of faux warnings. Much appreciated. – Highdown Dec 04 '20 at 18:00
  • Mine doesn't list a guid. I was still able to find it by `Provider Name` field, but it was under `CurrentControlSet\Services\EventLog\System\Dell Command | Monitor`. Still no `guid` listed there, like other entries there do though. What now? – Qwerty Apr 11 '22 at 22:45
2

Use Server Manager, or Perfomance MSC.

Under (Performance)->Data Collector Sets->Event Trace Sessions, select EventLog-Application and press [ENTER].

Under Trace Providers tab (default), look at the Properties list. Here you will find a Level property, which enables you to define (filter) the level of logging as you would expect.

Ate Somebits
  • 155
  • 8
  • But does that physically prevent the logs from being recorded and stored in the file, taking up the space? – Qwerty Apr 11 '22 at 22:47