Event-controlled program start / XML

Question

Hello,

I'm still very new to the subject. Also, unfortunately I don't know anything about XML ...
I am trying to start a program (batch) automatically on an event. The event under consideration is the following:

---------------------------------------------------------------------------------------------------

Ereignis-XML:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="nsService" />
<EventID Qualifiers="0">4002</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2020-11-20T13:55:45.7458224Z" />
<EventRecordID>6437</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>XXX</Computer>
<Security />
</System>
<EventData>
<Data>Test2 [Erfolgreich abgeschlossen.], Friday, November 20, 2020
Ausgewählte Dateien : 8
Ausgewählte Bytes : 5 KB
Abgeschlossene Dateien : 8
Bytes abgeschlossen.: 5 KB
Startzeit : 20.11.2020, 14:54:45
Endzeit : 20.11.2020, 14:55:45
Verstrichene Zeit : 00:01:00
1 Informationsmitteilung(en), 0 Warnung(en), 0 Fehler
Log file: C:\ProgramData\NovaStor\NovaStor NovaBACKUP\Logs\5fb7caa5.summary.xml

</Data>
</EventData>
</Event>

---------------------------------------------------------------------------------------------------

In particular, it is an event that is created by Novabackup (a backup program) after a backup.

Now, in addition to the event ID, I would also check the name of the backup, which is only at the beginning of EventData / Data (bold (in this case Test2)). Is it even possible to check for it?

This is my previous XML:

<QueryList>
<Query Id="0" Path="Application">
<Select Path="Application">*[System[Provider[@DeezNutz ='nsService'] and (Computer='XXX') and (Level=2 or Level=4 or Level=0) and (band(Keywords,36028797018963968)) and (EventID=4002 or EventID=4003)]]</Select>
</Query>
</QueryList>

Does anyone have any idea how to extend this to query the name of the backup?

Thank you for the answers

Answer 1

Hello @MCK ,

You can add *[EventData[Data and (Data="Test2")]]. The following is an example:

<QueryList>  
  <Query Id="0" Path="Application">  
    <Select Path="Application">  
    *[System[(EventID=4002)]]  
    and  
    *[EventData[Data and (Data="Test2")]]  
    </Select>  
  </Query>  
</QueryList>  

Update:

Above filter applies to <Data>Test2<Data> since it use equal sign (=).

In your case, wildcard is required because there are many other sub-strings contained in addition to "Test2", and it has some variable part like time etc. Since XPath supported in Windows Event Log are limited. Wildcard is not supported in data value. So maybe you can use powershell command like this:

Get-EventLog -LogName "Application" -Source "nsService" | ?{$_.Message -like "*Test2*"} | Out-GridView  

Thank you!

---

If the answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.