Use the Windows event fields and operators to build filter expressions.

Filter Expression Operators

Operator Description
==, != equal and not equal. Use with both numeric and string fields.
>=, >, <, <= greater or equal, greater than, less than, less than or equal. Use with numeric fields only.
&, |, ^, ~ Bitwise AND, OR, XOR and complement operators. Use with numeric fields only.
and, or Logical AND and OR. Use to build complex expressions by combining simple expressions.
not Unary logical NOT operator. Use to reverse the value of an expression.
() Use parentheses in a logical expression to change the order of evaluation.

Windows Event Fields

You can use the following Windows event fields in a filter expression.

Field name Field type
Hostname string
Text string
ProviderName string
EventSourceName string
EventID numeric
EventRecordID numeric
Channel string
UserID string
Level numeric
You can use the following predefined constants
  • WINLOG_LEVEL_SUCCESS = 0
  • WINLOG_LEVEL_CRITICAL = 1
  • WINLOG_LEVEL_ERROR = 2
  • WINLOG_LEVEL_WARNING = 3
  • WINLOG_LEVEL_INFO = 4
  • WINLOG_LEVEL_VERBOSE = 5
Task numeric
OpCode numeric
Keywords numeric
You can use the following predefined bit masks
  • WINLOG_KEYWORD_RESPONSETIME = 0x0001000000000000;
  • WINLOG_KEYWORD_WDICONTEXT = 0x0002000000000000;
  • WINLOG_KEYWORD_WDIDIAGNOSTIC = 0x0004000000000000;
  • WINLOG_KEYWORD_SQM = 0x0008000000000000;
  • WINLOG_KEYWORD_AUDITFAILURE = 0x0010000000000000;
  • WINLOG_KEYWORD_AUDITSUCCESS = 0x0020000000000000;
  • WINLOG_KEYWORD_CORRELATIONHINT = 0x0040000000000000;
  • WINLOG_KEYWORD_CLASSIC = 0x0080000000000000;

Examples

Collect all critical, error and warning events 

[winlog|app]
channel = Application
whitelist = level > WINLOG_LEVEL_SUCCESS and level < WINLOG_LEVEL_INFO

Collect only Audit Failure events from Security channel 

[winlog|security]
channel = Security
whitelist = Keywords & WINLOG_KEYWORD_AUDITFAILURE