What is the correct syntax for the evLogBlkListEx.xml file?
Please refer to the following information for customizing the blacklist. We will add that information into the xml in future hotfix updates. Please use evLogBlkListEx.xml instead. Use an internet browser such as IE to open the xml file to make sure you have format the xml file correctly.
A. Element tags:
EventLogBlackList - root element of this XML
OverflowTime - Time period (seconds) used to limit the number of events being uploaded to KServer.
OverflowCount - the maximum number of entries that can be uploaded to KServer within the time period specified in OverflowTime.
set to 0 to disable the overflow limitation.
EventLog - description of the event log, contains event filters. Both attributes are required. Please refer to the Event log name and ID section for detail.
Name - Name of the event log
ID - a unique id for the specific event log
Def - filter definition
Error ??? 0 or 1, 1 to enable filtering error type event.
Warning ??? 0 or 1, 1 to enable filtering warning type event.
Information ??? 0 or 1, 1 to enable filtering information type event.
AuditSuccess ??? 0 or 1, 1 to enable audit success type event.
AuditFailure - 0 or 1, 1 to enable filtering audit failure type event.
Critical ??? 0 or 1, 1 to enable filtering critical type event. (Vista and above)
Verbose ??? 0 or 1, 1 to enable filtering verbose type event. (Vista and above)
Source ??? Full or partial texts for source filtering.
Category ??? Full or partial texts for category filtering.
EventID ??? Event ID filtering.
Description - Full or partial texts for description filtering.
% can be used as a wildcard in Source, Category, and Description attributes.
<Def Warning="1" Source="%SpoolerWin32%" Event /> => Filter out all warning eventS with event id 4 from the source containg "SpoolerWin32".
B. Event log name and ID:
The names and IDs for the most commonly used event logs are listed below:
286518283 Directory Service
635771359 Internet Explorer
1208407329 DNS Server
2024587388 DFS Replication
1817615708 Key Management Service
Please refer to the logFileName and EventLogTypeId fields of eventLogType table in VSA ksubscriber database for additional event logs.