Share via

Event-controlled program start / XML

MCK 21 Reputation points
2020-11-24T13:44:01.493+00:00

Hello,

I'm still very new to the subject. Also, unfortunately I don't know anything about XML ...
I am trying to start a program (batch) automatically on an event. The event under consideration is the following:

---------------------------------------------------------------------------------------------------

Ereignis-XML:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="nsService" />
<EventID Qualifiers="0">4002</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2020-11-20T13:55:45.7458224Z" />
<EventRecordID>6437</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>XXX</Computer>
<Security />
</System>
<EventData>
<Data>Test2 [Erfolgreich abgeschlossen.], Friday, November 20, 2020
Ausgewählte Dateien : 8
Ausgewählte Bytes : 5 KB
Abgeschlossene Dateien : 8
Bytes abgeschlossen.: 5 KB
Startzeit : 20.11.2020, 14:54:45
Endzeit : 20.11.2020, 14:55:45
Verstrichene Zeit : 00:01:00
1 Informationsmitteilung(en), 0 Warnung(en), 0 Fehler
Log file: C:\ProgramData\NovaStor\NovaStor NovaBACKUP\Logs\5fb7caa5.summary.xml

</Data>
</EventData>
</Event>

---------------------------------------------------------------------------------------------------

In particular, it is an event that is created by Novabackup (a backup program) after a backup.

Now, in addition to the event ID, I would also check the name of the backup, which is only at the beginning of EventData / Data (bold (in this case Test2)). Is it even possible to check for it?

This is my previous XML:

<QueryList>
<Query Id="0" Path="Application">
<Select Path="Application">*[System[Provider[@DeezNutz ='nsService'] and (Computer='XXX') and (Level=2 or Level=4 or Level=0) and (band(Keywords,36028797018963968)) and (EventID=4002 or EventID=4003)]]</Select>
</Query>
</QueryList>

Does anyone have any idea how to extend this to query the name of the backup?

Thank you for the answers

Windows API - Win32
Windows API - Win32
A core set of Windows application programming interfaces (APIs) for desktop and server applications. Previously known as Win32 API.
2,764 questions
0 comments
Accepted answer
  1. Rita Han - MSFT 2,171 Reputation points
    2020-11-25T02:13:28.393+00:00

    Hello @MCK ,

    You can add *[EventData[Data and (Data="Test2")]]. The following is an example: 

    <QueryList>  
  <Query Id="0" Path="Application">  
    <Select Path="Application">  
    *[System[(EventID=4002)]]  
    and  
    *[EventData[Data and (Data="Test2")]]  
    </Select>  
  </Query>  
</QueryList>

    Update:

    Above filter applies to <Data>Test2<Data> since it use equal sign (=).

    In your case, wildcard is required because there are many other sub-strings contained in addition to "Test2", and it has some variable part like time etc. Since XPath supported in Windows Event Log are limited. Wildcard is not supported in data value. So maybe you can use powershell command like this: 

    Get-EventLog -LogName "Application" -Source "nsService" | ?{$_.Message -like "*Test2*"} | Out-GridView

    Thank you!

    If the answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.