Working with Filtering and Custom Views in the Vista Event Viewer

The Event Viewer is an application that enables you to browse and manage event logs. Event logs are special files that record significant events on your computer, such as when a user logs on to the computer or when a program encounters an error. In Windows Vista and Windows Server 2008, Event Viewer has been totally re-designed and now offers a much wider administrative capabilities. Read more about the new Vista Event Viewer in my “Working with Vista’s new Event Viewer” and “Assigning Custom Tasks to Events in Vista” articles.

One of the features of the new Event Viewer is the ability to create custom filters and to save them into custom views for later viewing. When viewing an event log, you can filter the events being displayed. Like in previous Windows versions, event filtering is temporary by design, meaning you filter for something, then when you close Event Viewer, the filter is no longer applied. You can also remove an applied filter. However, unlike previous OSs, if you create a useful filter that you want to reuse, you can save it as a custom view.

Filter displayed events

To filter displayed events:

  1. Open Computer Management by right-clicking the Computer icon on the start menu (or on the Desktop if you have it enabled) and select Manage. Navigate to the Event Viewer. Note: If you did not disable UAC (read my “Disable User Account Control in Windows Vista” article) then you will be prompted to consent to the action you’re about to perform. Click Continue. Note: You can also open the Event Viewer by typing Event Viewer in the Search box and pressing Enter, or typing eventvwr.msc in the Run command.
  2. In the console tree, select the event log you want to filter.
  3. On the Action menu, click Filter Current Log, or right-click the log and select Filter Current Log. eventvwr vista 8 small1  
  4. To filter events based on the date when they occurred, select the time period from the Logged drop-down list. Note: You can also choose Custom range and specify the earliest date and time from which you want events and the latest date and time from which you want events. Click OK. eventvwr vista 9 small  
  5. Select the check boxes next to the event levels that you want the filter to display. eventvwr vista 10 small  
  6. Select the check boxes next to the event sources that you want your filter to display in the Event source drop-down list eventvwr vista 11 small  
  7. In Event IDs, type the event IDs that you want your filter to display, for example, type 6005. eventvwr 6005 5 small Note: If you want to filter based on separate multiple event IDs, you can enter them separated by commas. If you want to include a range of IDs, for example 10000 through 10010, you can type 10000-10010. If you want the filter to display events with all IDs except certain ones, type the IDs of those exceptions, preceded by a minus sign. For instance, to include all Event IDs between 4624 and 4634 except for 4630, type 4624-4634,-4630.
  8. In Task Category, select the check boxes next to the task categories in the drop-down list that you want your filter to display.
  9. In the Keywords drop-down list, select the check boxes next to the keywords that you want your filter to display. eventvwr vista 12 small  
  10. In User, enter the name of the user accounts you want your filter to display. To enter multiple user accounts, separate them with a comma (,).
  11. In Computer(s), enter the name of computers that you want the filter to display. This field refers to the source computer of the event. Enter multiple computers by separating them with a comma (,).
  12. Click OK to apply the filter. eventvwr 6005 6 small  

Save filter as a custom view

After working hard to set your filter right, in Vista you can now save it as a Custom View so that you can use it again without having to recreate it.

To save a filter to reuse later:

  1. Start Event Viewer.
  2. Follow the steps in Filter Displayed Events.
  3. On the Action menu, click Save Filter As Custom View. eventvwr 6005 7 small  
  4. In the Name box type the name that you want to use to access the custom view in the future. You can also type a description of the custom view in Description. In the console tree, select the location where you want the saved filter to be stored. To allow all users of the computer to access the view, ensure that the All Users check box is selected. To only allow the currently logged on user to access the view, ensure that the All Users check box is not selected. eventvwr 6005 8 small Click OK.  
  5. Next, look at the Custom Views list, note that your saved filter is located in that list. eventvwr 6005 9 small

Summary

Vista’s new Event Viewer comes as a big improvement over previous versions. One of the main advantages of the new Event Viewer is the ability to create custom filters and to save them for later use, which makes using Event Viewer much easier for busy administrators.

Related Articles

Got a question? Post it on our Windows Vista Forums!