none
EventLogQuery - The specified query is invalid if serachFilter to long

    Question

  • Hi Together

    I have a following Problem and need help.

    Have a EventlogSearch Method with following search filter which is working without Problems.

    "*[System[(Level=4503599627370496) and (EventID!=4 and EventID!=5 and EventID!=9 and EventID!=15 and EventID!=20 and EventID!=39 and EventID!=1111 and EventID!=7031 and EventID!=7032 and EventID!=10010 and EventID!=10016 and EventID!=10028 and EventID!=36874 and EventID!=36882 and EventID!=36887 and EventID!=36888 and EventID!=129 and EventID!=61034 and EventID!=61150 and EventID!=39 and EventID!=27) and TimeCreated[@SystemTime>= '2018-12-06T10:37:21.513983900Z']]]"

    As soon as i add one eventID more which i want to exclude i get ErrorMessage in line "EventLogReader logReader = new EventLogReader(elq);"

    {"The specified query is invalid"}

    This is how the filter looks like in case of Error:

    "*[System[(Level=4503599627370496) and (EventID!=4 and EventID!=5 and EventID!=9 and EventID!=15 and EventID!=20 and EventID!=39 and EventID!=1111 and EventID!=7031 and EventID!=7032 and EventID!=10010 and EventID!=10016 and EventID!=10028 and EventID!=36874 and EventID!=36882 and EventID!=36887 and EventID!=36888 and EventID!=129 and EventID!=61034 and EventID!=61150 and EventID!=39 and EventID!=27 and EventID!=3) and TimeCreated[@SystemTime>= '2018-12-06T10:28:13.768549100Z']]]"

    The only difference between those 2 Fitlers are number of IDs which i want to exclude...

    Second Filter has "and EventID!=3" more than first one.

    Is there any limitations for numbers of ID which can be excluded in EventLogQuery searchFilter?

    Thanks in advance for your help...

    public static List<EventProperty> SearchEventLogs(EventLogSearchParmeters paramObject, string searchFilter) { var elq = new EventLogQuery(paramObject.LogName, PathType.LogName, searchFilter); int searchfilterint = searchFilter.Length; List<string> inclueds = paramObject.Includes; List<string> excludes = paramObject.Excludes; string messageDescription = paramObject.Description; string logonAccount = ""; string sourceWorkstation = ""; string message = ""; try { EventLogReader logReader = new EventLogReader(elq); }

     for (EventRecord eventdetail = logReader.ReadEvent(); eventdetail != null; eventdetail = logReader.ReadEvent())
                    {
                        // Read Event details
                        var id = eventdetail.Id;
                        try
                        {
                            if (!string.IsNullOrEmpty(eventdetail.FormatDescription().ToString()))
                            {
                                message = eventdetail.FormatDescription().ToString();
                            }
                            else
                            {
                                message = "Log Message seems to be empty";
                            }
                        }

                        catch (Exception ex)
                        {
                            if (paramObject.Debug1 == 1)
                            {
                                string errormessage = ex.Message.ToString();
                                Console.WriteLine("\n\rThere was a Problem reading Event Description for EventID:" + id);
                            }
                            message = string.Format("\n\rThere was a Problem reading Event Description for EventID:{0}", id);
                        }

    DateTime timeCreated = (DateTime)eventdetail.TimeCreated;
                        string source = eventdetail.ProviderName;
                        string eventType = EventLogSearchParmeters.EnumerateEventTypes(eventdetail.Level.ToString());

    EventProperty evtPropObject = new EventProperty(id, message, timeCreated, source, eventType);
                            EventlogList.Add(evtPropObject);

    return EventlogList;

    }

    catch (EventLogNotFoundException e)
                {
                    Console.WriteLine("Error while reading the event logs");
                    Environment.Exit(0);
                    return EventlogList;

                }






    • Edited by todomati Thursday, December 6, 2018 4:06 PM
    Thursday, December 6, 2018 1:12 PM

Answers

  • Any other Suggestion...I Need more than 23 exclusion because i use it for Monitoring System...
    • Marked as answer by todomati Friday, December 7, 2018 3:06 PM
    Friday, December 7, 2018 2:23 PM
  • I just realised that it is not very easy for me to Build this linq filter which filterd out ids from my exclusion List in collected eventlog IDs because i am not familiar with complex Linq queries. I tried something but does not work...

    I have to Lists "IDs to be excluded" and IDs from EventLogCollection.

    Do you have any idea how this filter should Looks like?



    • Edited by todomati Friday, December 7, 2018 3:27 PM
    • Marked as answer by todomati Monday, December 10, 2018 8:41 AM
    Friday, December 7, 2018 3:26 PM
  • Here's one approach (not tested).

    //Keeping with reading a single entry at a time so you don't waste memory storing records you don't need - I prefer while loops in this case
    var eventDetail = logReader.ReadEvent();
    while (eventDetail != null)
    {
       //Skip excluded events
       if (excludes.Contains(eventDetail.Id))
          continue;
    
       //Next
       eventDetail = logReader.ReadEvent();
    };


    Michael Taylor http://www.michaeltaylorp3.net

    • Marked as answer by todomati Monday, December 10, 2018 8:40 AM
    Friday, December 7, 2018 4:20 PM
    Moderator

All replies

  • I suspect there is but I cannot tell at this point because you didn't post the code that actually hooks your exclude list up. At the point your code stops you've just created a reader. Please post the rest of the code.

    Be aware that EventID is obsolete so you shouldn't write new code that relies on it.


    Michael Taylor http://www.michaeltaylorp3.net

    Thursday, December 6, 2018 2:55 PM
    Moderator
  • Hi Michael

    It should be complete now...

    Thursday, December 6, 2018 4:07 PM
  • I took your code and I'm getting compiler errors so it is hard to see what you're seeing. However I notice that your includes and excludes variables are never used. So that must mean you're setting up this query using the searchFilter parameter you're passing in, correct?

    searchFilter becomes a parameter to EventLogQuery which is then passed to EventLogReader. ELR uses the EvtQuery Win32 call to execute the query. The docs for that function says that if you have more than 20 expressions you need to use structured XML instead. Your working query seems to have more than that but it seems like you're running into this limit. So try converting to structured XML instead so you can work around it.



    Michael Taylor http://www.michaeltaylorp3.net

    Thursday, December 6, 2018 7:12 PM
    Moderator
  • I don know why you get an error with my method because if i start it with 20 Exclusions it is working perfectly.With 21 it does not work and error is comming on running the line EventLogReader logReader = new EventLogReader(elq);

    The elq Variable is not empty and Filter is definitly oK.

    I am not so familiar with structured XML.

    Do you have any doku or link wher i could see some examples...

    Thanks for your answer... 

    Friday, December 7, 2018 8:53 AM
  • I Build filter like this (its differ from needed one cause i wanted to test the Syntax in c#) just to test it and it works for less than 20 Elements and dont work with more than 20 IDs nor in c# either in Eventviewer GUI..

    "<QueryList>" +
                        @"<Query Id=""0"" Path=""System"">" +
                            @"<Select Path=""System"">*[System[(Level = 2) and(EventID = 4 or EventID = 5 or EventID = 456 or EventID = 77689 or EventID = 345 or EventID = 656) and TimeCreated[@SystemTime>= '2018-12-07T13:42:39.000Z']]]</Select>" +
                     "</Query>" +
                     "</QueryList>";

    Do you have any Suggestion?

    Friday, December 7, 2018 1:59 PM
  • You can test it if you put more than 23 ids in eventviewer gui comma separated.

    You get error?

    Friday, December 7, 2018 2:08 PM
  • Any other Suggestion...I Need more than 23 exclusion because i use it for Monitoring System...
    • Marked as answer by todomati Friday, December 7, 2018 3:06 PM
    Friday, December 7, 2018 2:23 PM
  • If the EV UI isn't going to allow more than 23 then you're not going to be able to do it programmatically either. Must be a limit in Windows but you'd probably need to post on TechNet to see if anyone there knows the upper limit.

    The only alternative would be to break up the query. It appears that you're doing some base set of filtering and then adding additional EventIDs to ignore. So, while not ideal, I would recommend that you remove the EventIDs from the query. Put them into a simple List in C#. Run your query without them and then filter the results using LINQ based upon the ID. You'll be pulling more data back at once but then you aren't limited by the query size.

    A more ideal solution would be to adjust your filtering rules. Unfortunately I doubt any adjustments would get you what you need but I'll list some anyway.

    - IN clause would be ideal but I don't see that event query operator supported. It could be missing from the docs but I sort of doubt it. Either way you'd eventually reach a limit anyway.

    - Filter by ranges of IDs. If you know, for example, that 1000-1002 are to be ignored then add one clause to ignore the range. 


    Michael Taylor http://www.michaeltaylorp3.net

    Friday, December 7, 2018 3:03 PM
    Moderator
  • Thanks very much for your answer...

    That is what i realised and already trying to get all Errors at once and try to Build linq filter...

    Cheers

    Friday, December 7, 2018 3:05 PM
  • I just realised that it is not very easy for me to Build this linq filter which filterd out ids from my exclusion List in collected eventlog IDs because i am not familiar with complex Linq queries. I tried something but does not work...

    I have to Lists "IDs to be excluded" and IDs from EventLogCollection.

    Do you have any idea how this filter should Looks like?



    • Edited by todomati Friday, December 7, 2018 3:27 PM
    • Marked as answer by todomati Monday, December 10, 2018 8:41 AM
    Friday, December 7, 2018 3:26 PM
  • Here's one approach (not tested).

    //Keeping with reading a single entry at a time so you don't waste memory storing records you don't need - I prefer while loops in this case
    var eventDetail = logReader.ReadEvent();
    while (eventDetail != null)
    {
       //Skip excluded events
       if (excludes.Contains(eventDetail.Id))
          continue;
    
       //Next
       eventDetail = logReader.ReadEvent();
    };


    Michael Taylor http://www.michaeltaylorp3.net

    • Marked as answer by todomati Monday, December 10, 2018 8:40 AM
    Friday, December 7, 2018 4:20 PM
    Moderator
  • Hi Michael

    Thnaks ver much for fast answer...

    It is working on this way...

    Great...Good vay to avoid the search Limitation of 20 Ids....

    You saved my time....

    Cheers...

    Monday, December 10, 2018 8:40 AM