An event subscription that uses a custom filter on a server that is running Windows Server 2008 does not collect events from a server that is running Windows Server 2003 R2

Article ID: 979389 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

Consider the following scenario:
  • You create an event subscription on a server that is running Windows Server 2008.
  • The event subscription collects events from a server that is running Windows Server 2003.
  • A custom filter is defined on a date/time value such as System Time.
In this scenario, the event subscription does not collect the events. This includes events that occur in real time.
Back to the top | Give Feedback

CAUSE

This issue occurs because the custom filter that collects events does not work for a server that is running Windows Server 2003. The Wevtfwd plug-in in Windows Server 2003 uses MSXML to apply the XPATH query to the event. Therefore, MSXML is used to select the event or to reject the event.

Additionally, MSXML 6.0 is used to parse the event. MSXML 6.0 does not support either the TIMEDFF function or string comparison by using the "<=" and ">=" constructs. Therefore, the parser rejects the query when the query contains these constructs. This behavior prevents the event from being forwarded to the event subscription.
Back to the top | Give Feedback

RESOLUTION

To resolve this problem so that these kinds of queries function correctly, upgrade the source server to Windows Server 2008.
Back to the top | Give Feedback

Properties

Article ID: 979389 - Last Review: February 20, 2010 - Revision: 1.0
APPLIES TO
  • Windows Server 2008 Datacenter without Hyper-V
  • Windows Server 2008 Enterprise without Hyper-V
  • Windows Server 2008 Standard without Hyper-V
  • Windows Server 2008 Datacenter
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Standard
Keywords: 
kbtshoot kbexpertiseinter kbsurveynew kbprb KB979389
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top