I need an XPath query to view all events in the Windows event log (custom view)

Question

In Windows powershell you can type get-winevents without any parameters and it will dump all events. I would like access to all events in the event viewer using a custom view. I can of course just check off everything but this results in an xml query that is too big, so I'm trying to do wildcards for path rather than specify each path. I tried this:

<QueryList>
  <Query Id="0" Path="Application">
    <Select Path="*">*[System[TimeCreated[timediff(@SystemTime) &lt;= 43200000]]]</Select>
  </Query>
</QueryList>

But it errors on Path="*".

How can I make a custom view that shows all events? I found an MSDN article on consuming events that says you can use the wildcard but I guess I'm using it wrong. Thanks

score 2 · Accepted Answer · edited May 23 '17 at 12:41

2

You cannot "wildcard" the path - this one is required and must contain a certain event log. You only can use wildcards in the XPath expression for a given event log. In Addition, I remember there's a limit for the number of nodes you can have, but I don't recall what exactly it was...

There's a related post here: https://stackoverflow.com/questions/8671194/using-xpath-starts-with-or-contains-functions-to-search-windows-event-logs

edited May 23 '17 at 12:41

Community

1

answered Aug 27 '13 at 11:29

Martin Binder

231
1
2

Sadly it looks like this is the correct answer. How about everything in a root folder? The Microsoft folder holds most of the entries. Is there any way to specify the microsoft folder rather than Microsoft-something1, Microsoft-something2, etc. – test Aug 28 '13 at 00:51

I need an XPath query to view all events in the Windows event log (custom view)

1 Answers1