How to Filter Windows Events using the Log Analyzer Agent

When Log Analyzer 2.0 was released it introduced the ability to use the Orion agent to stream Windows Events to the LA platform.  By default only certain events are sent into the system as per this knowledge base article.  This method substantially reduces the messages coming into the system by filtering at the agent level.  But what if I want more?  Perhaps there are certain additional Event IDs I want sent into the system.  How do I accomplish that?

If you would like to vote on a feature request to simplify this process please click here

Changing What is Collected For All Agents

There is a hidden section within the Orion platform that contains numerous global and server-specific settings.  Within this page you can configure the Windows Event Filters for LA

Please use extreme caution editing settings on this page.  These are global settings that can impact the entire platform.

http://(your host name)/Orion/Admin/AdvancedConfiguration/Global.aspx

We are looking specifically for the section labeled as LogManagement.WindowsEvents.Settings the section that contains the filter is the Query field


If you click on the pencil icon next to the query field you will get the full query in a simple text editor.


Now yes I know this looks a bit scary so let me make it a little simpler for you.  The first thing I'm going to do is copy/paste the text from this editor and place it into an XML editor which helps to keep the formatting clean.


The section I've highlighted in red is the various queries that are being used in our filters.  I want to call out as well the first line in the editor.  <!--Warning: Content length of the Select element is limited to approximately 450 characters. Longer content might not be accepted as valid query. Always check first with Windows Event Viewer Custom view to validate it is ok.-->.  What this really tells me is that I can use the built in Windows Event Viewer Custom View to create additional filters.  On a windows machine open up the Event Viewer.

From Event Viewer click on Action and then select Create Custom View


In my example I want to create a filter for Critical events, from the Application Log, that match Event IDs 1234 & 5678


After I have setup my conditions I click on the XML tab and I can see the results of my query.


I can hit ok and confirm my filter works by seeing the filtered event logs in the view.

Now I have the query string required and I can copy this into my XML editor.  All I need is the Select Path section as highlighted above.  I'm going to add it after the last Select Path statement.


I can now copy this entire query back into the LogManagement.WindowsEvents.Settings section of the advanced configuration where we pulled it from earlier.


Be sure to hit the Save button at the bottom of the screen.  This change will then be pushed out to all of the agents.

Changing What is Collected For Specific Agent

Now if you want to change the query for a specific agent the process is slightly different.

  1. Log into agent server
  2. Create or copy a file containing the desired query as defined in the Changing What is Collected For All Agents section above and save to some known location e.g. C:\Program Files (x86)\SolarWinds\Agent\Plugins\LogManager\query.xml.
  3. Edit C:\Program Files (x86)\SolarWinds\Agent\Plugins\LogManager\SolarWinds.Orion.LogMgmt.Agent.Plugin.exe.config and under the appSettings section, add a new item with key CustomQueryFilePath and set the value to the path where the file created in Step 2 is located.

SolarWinds.Orion.LogMgmt.Agent.Plugin.exe.config appSettings


     <add key="RecipientId" value="LogManagerModule"/>

     <add key="ClientSettingsProvider.ServiceUri" value=""/>

     <add key="CustomQueryFilePath" value="C:\Program Files (x86)\SolarWinds\Agent\Plugins\LogManager\query.xml" />


     4. Save the file and restart the SolarWinds Agent service.