Use the Windows event fields and operators to build filter expressions.

Filter Expression Operators

Operator

Description

==, !=

equal and not equal. Use with both numeric and string fields.

>=, >, <, <=

greater or equal, greater than, less than, less than or equal. Use with numeric fields only.

&, |, ^, ~

Bitwise AND, OR, XOR and complement operators. Use with numeric fields only.

and, or

Logical AND and OR. Use to build complex expressions by combining simple expressions.

not

Unary logical NOT operator. Use to reverse the value of an expression.

()

Use parentheses in a logical expression to change the order of evaluation.

Windows Event Fields

You can use the following Windows event fields in a filter expression.

Field name

Field type

Hostname

string

Text

string

ProviderName

string

EventSourceName

string

EventID

numeric

EventRecordID

numeric

Channel

string

UserID

string

Level

numeric

You can use the following predefined constants

  • WINLOG_LEVEL_SUCCESS = 0

  • WINLOG_LEVEL_CRITICAL = 1

  • WINLOG_LEVEL_ERROR = 2

  • WINLOG_LEVEL_WARNING = 3

  • WINLOG_LEVEL_INFO = 4

  • WINLOG_LEVEL_VERBOSE = 5

Task

numeric

OpCode

numeric

Keywords

numeric

You can use the following predefined bit masks

  • WINLOG_KEYWORD_RESPONSETIME = 0x0001000000000000;

  • WINLOG_KEYWORD_WDICONTEXT = 0x0002000000000000;

  • WINLOG_KEYWORD_WDIDIAGNOSTIC = 0x0004000000000000;

  • WINLOG_KEYWORD_SQM = 0x0008000000000000;

  • WINLOG_KEYWORD_AUDITFAILURE = 0x0010000000000000;

  • WINLOG_KEYWORD_AUDITSUCCESS = 0x0020000000000000;

  • WINLOG_KEYWORD_CORRELATIONHINT = 0x0040000000000000;

  • WINLOG_KEYWORD_CLASSIC = 0x0080000000000000;

Examples

Collect all critical, error and warning events

[winlog|app]
channel = Application
whitelist = level > WINLOG_LEVEL_SUCCESS and level < WINLOG_LEVEL_INFO

Collect only Audit Failure events from Security channel

[winlog|security]
channel = Security
whitelist = Keywords & WINLOG_KEYWORD_AUDITFAILURE