How do I create a custom ppc protocol

Create custom filters in Event Viewer

Log files are an important source of information for troubleshooting and monitoring the system status. However, the standard views of the Windows Event Viewer are hardly suitable for systematically evaluating events. Custom views can help with log analysis.

The event viewer can only filter and display the wealth of data stored in the log files on the activities of processes, users and applications. For this reason, a whole market of advanced tools for log file analysis and SIEM (Security Information and Event Management) has developed. On the basis of intelligent algorithms, you can gain insights from this information that are otherwise not so obvious.

Selection of criteria via filter mask

If you stick to the standard Windows tools, you will configure the event display in such a way that it simplifies the view of certain events, be they security-critical incidents or error messages from software. Custom views are an important feature for this purpose.

In order to simplify the creation of such adapted filters, the event viewer offers a mask from which all important properties and criteria can be selected. It can be accessed through the menu Actions => Create custom view call.

Limitation of the period and the log files

Choosing a time period is the first way to narrow down the events. Is preset At any time, alternatively you can specify any intervals. If you have not changed the default configuration for a log file, you should not have too great expectations of the period that can be analyzed. If the maximum size of 20 MB is reached, Windows starts overwriting the oldest entries.

After classifying the events in Critical, error, warning, etc. you select the data sources from which the entries are to be read. This is where you mostly get the menu Per protocol can be used to examine one or more log files. If, on the other hand, you know the name or names of certain processes and would like to observe them precisely, then you mark them in the pull-down menu By source.

No full text search in the messages

The actual filtering then only takes place according to event IDs, which have to be entered individually or separated by commas. It is one of the great weaknesses of the Event Viewer that it does not allow a search for terms in the messages. Therefore, one must first work through the logs and determine the event IDs relevant to a particular concern.

A few predefined keywords such as Response time or Monitoring successful. The selection Task category is only available if the program in question defines one in the logs. In most cases this option will remain grayed out.

Restriction to users and computers

Finally, you can narrow down the result based on the users or computers that triggered certain events. As with the IDs, you can also enter several names here, if necessary, by separating them with commas.

If computers are saved as FQDN in the log file, this must be entered in the corresponding field of the dialog, the host name alone would not produce any hits.

Export and import of views

Finally, you specify where you want to save the new view within the tree structure in the left window. By default, the tool suggests a location below Custom views in front.

If you don't want to use the views you have created yourself on one computer, you can use the command Export custom view (from the context menu or the menu Actions) to an XML file. This in turn can be read in on another PC using the complementary import command.

If you only want to filter a specific log for one-time use, you don't have to create your own view and save it permanently. Here it is sufficient to select the command from the context menu of the log file Filter the current log executes. Then you get the same mask as when creating a user-defined view.