Is it possible to filter out (remove) a single Event ID from the Event Viewer?

eventviewer windows-server-2003

Let's say I want to remove a single event from the view so I can view the rest. How do I accomplish this? This is on a Server 2003 R2 box.


Solution 1:

EDIT: To answer your edited question, the easiest way I can think of is to sort your Event Log by Event ID, select everything except the events you want to exclude and then Save Selected Events to file. It will save as a single Event Log file, which you can then open with your Event Viewer, and won't have the events you didn't select.

Powershell's another option, especially if you want to do that for a large number of Event Logs, but I don't have an "exclude Event ID" PS script handy, so I'm not going to punch it up unless you ask nicely.

And the now not-quite relevant original answer is below.

Yes, it's pretty easy, but a little different depending on what version of Windows you're using.

Images below.

In 2008 or Windows 7:

enter image description here

In 2003 or XP:

enter image description here

You can even use PowerShell to parse your EventLogs for you based on any number of factors... but the built in filters are pretty good.

Solution 2:

By now (checked on Windows Server 2019) this is easily done by prefixing the ID with a minus sign (e.g to exclude 1000 you would type -1000 in the event ID field)

Solution 3:

I had a very similar situation where I wanted to filter out an entire source instead of a single event ID. As it turns out, it's pretty easy and it works on anything: event level, event sources, task category, keywords, user, and computer.

Click "Filter Current Log", then select the things you want to filter out. If you don't want to see any information-level events, check "Information" next to Event level. If you don't want any events with the "Audit Success" keyword, select "Audit Success" under Keywords. In my case, I wanted to filter out everything from the Security-SPP source, so I selected it under Event sources.

Image example

Now, open the XML tab and check "Edit query manually". You'll see a <Select> element with a bunch of text in it.

Example:

<QueryList>
  <Query Id="0" Path="Application">
    <Select Path="Application">*[System[Provider[@Name='Microsoft-Windows-Security-SPP']]]</Select>
  </Query>
</QueryList>

Copy the opening <Select> tag and paste it right above the original <Select> element. Then, type an * and write a closing </Select> tag.

<QueryList>
  <Query Id="0" Path="Application">
    <Select Path="Application">*</Select>
    <Select Path="Application">*[System[Provider[@Name='Microsoft-Windows-Security-SPP']]]</Select>
  </Query>
</QueryList>

Finally, change the original <Select> element to a <Suppress> element by changing the opening and closing tags.

<QueryList>
  <Query Id="0" Path="Application">
    <Select Path="Application">*</Select>
    <Suppress Path="Application">*[System[Provider[@Name='Microsoft-Windows-Security-SPP']]]</Suppress>
  </Query>
</QueryList>

Click "OK" then BAM! All of the events that match that filter will disappear!

Before example

After example

Related

OpenVPN 2.4 + Google Authenticator = authentication failure
Is there a flexible calculator available that can walk you through complex SQL licensing? [duplicate]
Just how slow should my VPN be?
Static Addresses On DHCP Range
win32 openssh default shell wsl.exe command arguments
libvirt Windows 10 VM issue
Display html files with another file extension on Apache server
Can an aws instance fail? Do I need backups?
Is writing on NTFS partition from mac os considered safe now?
How many sites this web server can handle? [duplicate]
What is push email?
What should be considered when purchasing a virtual machine set up?