Sometimes, when filtering by EventId with Event Log Monitors the result is empty. Some event records identifiers are composed by two different numbers: the qualifier and the normal ones. In order to make an effective filter by EventId the user should take this issue into account and create the filter depending on if the record has or not a qualifier value. If this is the case then the identifier must be calculated using the following formula: Qualifier value * 65536 (2^16) + Normal Value. For example, the attached file is an image with an example for the EventId equal to 34 from the EventViewer point of view: the corresponding identifier should be calculated like this: 16386 * 65536 + 34 = 1073872930. The user should set the EventId as 1073872930 instead of 34.

Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: October 18, 2018