[UNSOLVED] Event Log Custom XML Query Filtering Help
I've looked at a few different posts but I must be missing something because what I'm constructing isn't working.
Here's the XML code of an example event:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="ERAS WCF" />
<EventID Qualifiers="0">0</EventID>
<Level>4</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2014-07-09T20:32:51.000000000Z" />
<EventRecordID>899070</EventRecordID>
<Channel>Application</Channel>
<Computer>server.f.q.d.n</Computer>
<Security />
</System>
- <EventData>
<Data>User [email protected] has submitted 'Get BIOS Information' operation from servername to computername.f.q.d.n.</Data>
</EventData>
</Event>
This is my query:
<QueryList>
<Query Id="0">
<Select Path="Application">*[EventData[Data and (Data='computername' or Data='ip.add.re.ss')]]</Select>
</Query>
</QueryList>
I always get 0 results, even if I take stabs in the dark:
*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5)]]
*[EventData[Data and (Data='*computername*')]]
*[EventData[Data and (Data='%computername%')]]
I used this post as my guide for filtering based on content: http://blogs.technet.com/b/askds/archive/2011/09/26/advanced-xml-filtering-in-the-windows-event-viewer.aspx
Also:
I hope this is the right place for this question. This said to post in the server
forums, but in
the server forums, it said to post here.
I happen to be doing this on a server, but it could just as easily be a desktop.
Hello,
Thanks for posting question to this forum. Since this forum is related with XPath, what I can do is to help you validate your XPath query. With your query, I tested them with my computer, however, all of them could load event record correctly:
Query:*[EventData[Data and (Data='Office12AssertTimer' or Data='6.3.9600.17031')]]
Result:
Query:*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5)]]
Result:
So your XPath query is ok. Do you have a try to use the same query to filter the event log to check if there are records with another computer? I am wondering if there is something wrong with your current computer.
And since the XPath is ok, I would like suggest you posting it to the server forum to see if there are others looking into it.
Regards.
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey.
Similar Messages
-
XML Query filtering by child table column
Hello,
If anyone can help with this one... it would be nice. I need to make the output of an query to be in the format of XML, but the problem is that the initial filtering needs to be done in the child table.
Example:
CREATE TABLE PRIMARY(
ID NUMBER(19,0),
CODE_PRIMARY VARCHAR2(32));
CREATE TABLE SECONDARY(
ID NUMBER(19,0),
IDPRIMARY(19,0),
CODE_SECONDARY VARCHAR2(32));
INSERT INTO PRIMARY(ID,CODE_PRIMARY)
VALUES (1,'A');
INSERT INTO PRIMARY(ID,CODE_PRIMARY)
VALUES (2,'B');
INSERT INTO SECONDARY(ID,IDPRIMARY,CODE_SECONDARY)
VALUES (1,1,'C');
INSERT INTO SECONDARY(ID,IDPRIMARY,CODE_SECONDARY)
VALUES (2,1,'D');
INSERT INTO SECONDARY(ID,IDPRIMARY,CODE_SECONDARY)
VALUES (3,2,'E');
Now what we need is to build an XML tree like the following, INNER JOINING PRIMARY and SECONDARY tables with this condition in the where clause -> WHERE SECONDARY.CODE IN ('C','D')
<result>
<record>
<id>1</id>
<code>A</code>
<childs>
<child>
<id>1</id>
<idprimary>1</idprimary>
<codesecondary>C</codesecondary>
</child>
<child>
<id>2</id>
<idprimary>1</idprimary>
<codesecondary>D</codesecondary>
</child>
</childs>
</record>
</result>
In this example only one record is returned since we only have one record in PRIMARY table that has a child having codesecondary=C or D. The ideia is to get many records... but I think that this is enough for the sake of the example. And the solution is the same.
Thanks in advance!
GMFound the answer. Used distinct keyword instead of grouping the output table columns. This way XMLAgg didn't broke up the result:
SELECT
XMLElement("Processos",
XmlAgg(XMLElement("Processo",
XMLForest(T.ID as "Id",T.CODIGO as "Codigo",T.DESCRICAO as "Descricao"),
XMLElement("Funcionalidades",
SELECT
XMLAgg(
XMLElement("Funcionalidade",F2.ID)
FROM TWBASEDB.LISTA_UNICA_FUNCIONALIDADE F2
WHERE F2.ID_processo=T.ID
and f2.ACTIVIDADE IN ('1_ACTC1','1_ACTC2','1_ACTC3','2_ACTC1')
from
select distinct P.ID,P.CODIGO,p.DESCRICAO
FROM TWBASEDB.LISTA_UNICA_PROCESSOS P
INNER JOIN TWBASEDB.LISTA_UNICA_FUNCIONALIDADE F ON P.ID=F.ID_PROCESSO
WHERE ACTIVIDADE IN ('1_ACTC1','1_ACTC2','1_ACTC3','2_ACTC1')
order by p.id
) T -
Hi all,
We have almost 1500 clients (win7 system) in LAN environment and our requirement was we need to clear event logs older than 7 day's in all client system,
Pls confirm and group policy or script available for that.
Thanks, Mariappan ShanmugavelGreetings!
I am not sure if it is practical to have a script to search for old event logs and clear them. Also it may create performance issues because the event logs should be queried and check conditions for that, then move for removal process. Why not to use retention
for this? configure retention for 7 days and there will be no log older that that.
Event Logging policy settings in Windows Server 2008 and Vista
Regards.
Mahdi Tehrani |
|
www.mahditehrani.ir
Please click on Propose As Answer or to mark this post as
and helpful for other people.
This posting is provided AS-IS with no warranties, and confers no rights.
How to query members of 'Local Administrators' group in all computers? -
Questions about BT Home Hub 4A event log - WIFI c...
Hope someone can help please ?
I had BT inifinity installed 2 weeks ago with the HH 4 (type A) and everything has worked - connection found, no problem.
This week, my ipod touch was unable to join the network but the iphone 5, another ipod and a tablet could connect without a problem. The ipod touch managed to connect to another WIFI used at the property and my work wifi without a problem.
I thought it maybe the ipod touch as it was quite old but that doesn't make sense since it connects fine to other networks. I restored network settings and other options suggested by Apple but to no avail.
I have turned my attention to the Hub. My laptop (older than the ipod touch) gets the connection no problem along with the other devices. I went into the hub management page but I am not smart enough to decifer the event log so would like some help so I can fix this because I thought BT infinity was the better more reliable option?
The ipod touch Wifi IP address is 00:25:00:b7:35:f6.
On the event log, it shows STA before the address - but it shows STA before all the device IP addresses. Should I change this to DCHP ? or is this (Static ? alright)
The Lease on all the devices on the event log is set to 1440 min. (1 day) is that alright too, what does it mean ?
Do I have to keep renewing the lease ? How do I do that ? I read it can be set to 21 days ?
Going back to the IP address on the ipod it shows the Hostname as 00:25:00:B7:35:f6-2 this is different to the IP address with the -2. Could that be a cause of the unable to join network or is it because I attempted to recreate the network on the ipod so its the second version of that host name ?
Is there any setting I can change to fix this because I am concerned the same this will happen to the other devices and then the laptop....
What do I need to do to be able to get my ipod touch to connect to the BT network setting ?
I think its the hub 4A causing the 'block' on the ipod touch not the device and I think its maybe a matter of changing a setting - but then why was it all fine before when Infinity was first installed ?
Lastly my laptop (7 Years old) seems to be attached to the 5GHZ Wireless channel - is that alright ? The other more recent devices are on the 2.4ghz channel (except the ipod touch which isn't on any !!)
Is it alright to turn the hub on / off ? -I am resisting that because I don't want to make the situation worse.
Sorry but what does client disassociated mean and all the BLOCKS - do they relate to firewall ?
Please can you review the event log and my questions ?
Many thanks
angie 2601
The time frame is 3.55am 8/8/2013 - 7.16 am 8/8/2013
(Latest (7.16am) at the top
Message
07:16:39, 08AUG
(1224785.050000) Admin login successful by 192.168.1.64 on HTTP (1224766.610000) Admin login FAILED by 192.168.1.64 on HTTP (1224648.050000) New GUIsession from IP 192.168.1.64
(1224466.770000) Device disconnected: Hostname: Unknown-d8:dl:cb:ec:a6:fe
IP: 192.168.1.65 MAC: d8:d1:cb:ec:a6:fe
wlan1: STA d8:d1:cb:ec:a6:fe IEEE 802.11: Client disassociated
(1224362.750000) lease for IP 192.168.1.65 renewed by host Unknown d8:d1:cb:ec:a6:fe (MAC d8:d1:cb:ec:a6:fe).lease duration:1440 min (1224362.750000) Device connected: Hostname:Unknown-d8:d1:cb:ec:a6:feiP:
192.168.1.65 MAC:d8:dl:cb:ec:a6:fe lease time: 1440 min. link rate:90.0 Mbps
(1224362.690000) Lease requested
wlan1: STA d8:d1:cb:ec:a6:fe IEEE 802.11:Client associated
(1224241.150000) lease for IP 192.168.1.64 renewed by host FAMILY (MAC
00:13:02:de:6d:e6). Lease duration:1440 min
(1224241.150000) Device connected: Hostname: FAMii.Y IP:192.168.1.64 MAC:
00:13:02:de:6d:e6 Lease time: 1440 min. link rate: 54.0 Mbps
(1224241.090Cl00) Lease requested
wlan1TA 00:13:02:de:6d:e6 IEEE 802.11:Client associated
OUT: BLOCK [9] Packet invalid in connection (TCP
192.168.1.66:34905->31.13.72.38:443 on ppp1)
(1223644.770000) Device disconnected: Hostname: Unknown-d8:dl:cb:ec:a6:fe
IP: 192.168.1.65 MAC: d8:d1:cb:ec:a6:fe
wlanl: STA d8:d1:cb:ec:a6:-fe IEEE 802.11:CHent diSassociated
(1223489.390000) Lease for IP 192.168.1.65 renewed by host Unknown d8:d1:cb:ec:a6:fe (MAC d8:d1:cb:ec:a6:fe).lease duration:1440 min (1223489.380000) Device connected:Hostname:Unknown-d8:dl:cb:ec:a6:fe IP:
192.168.1.65 MAC: d kd1:cb ec:-a6-:fe Lease time: 1440 min. Link rare: 90.0 Mbps
(1223489.330000) Lease requested
wlan1: STA d8:d1:cb:ec:a6:fe IEEE 802.11: Client associated wlan1TA d8:d1:cb:ec:a6:fe IEEE 802.11: Client disasSociated
wlan1TA d8:d1:cb:ec:a6:fe IEEE 802.11:Client associated
OUT;BLOCK [9] Packet i valid in connection (TCP
192.168.1.66:34375->31.13.72.38:443 on pppl)
l'N':BLOCK [16-} Remote administration {ICMP type 8 code 0
117.1.42.94->86.182.228.205 on ppp1)
IN: BLOCK [9] Packet invalid in connection (TCP
31.13.72.33:443->86.182.228.205:44156 on ppp1) IN: BLOCK [9] Packet invalid in connection (TCP
31.13.72.33:443->86.182.228.205:36615 on ppp1)
OUT: BLOCK [9] Packet invalid in connection (TCP
192.1-68.1.68:49476->173.252.103.16:443 OR ppp1)
BLOCKED 5 more packets (because of Packet invalid in connection) OUT: BLOCK [9] Packet invalid in connection (TCP
192.168.1.68:49443->95.100.195.205:443 on ppp1)
OUT:BLOCK {9] PaCket invalid in connection (TCP
192.168.1.68:49438->95.100.194.217:443 on ppp1)
IN:BLOCK [9] Packet invalid in connection (TCP
95.100.194.217:443->86.182.228.205:49444 on ppp1)
(1222111.810000) Lease for IP 192.168.1.68 renewed by host Unknown-
70:56:81:46:bf:d9 (MAC 70:56:81:46:bf:d9).Lease duration:1440 min
(1222111.810000) Device connected:Hostname:Unknown-70:56:81:46:bf:d9 IP:,
192.168.1.68 MAC:70:56:8:t:46:bf:d9lease time:1440 min. Link rate:52.0 Mbps
(1222111.750000) Lease requested .-
wlanO: STA 70:56:81:46:bf:d9 IEEE 802.11: Client associated • (1222093.690000) Device dlsconn: Hostname:Unknown-
00:25:00:b7:35:f6-2 IP: 192.168. MAC: 00:25:00:b7:35:f6 wlanoTA 00:25:00:b7:35:f6 IEEE 802.11:Client disassociated
OUT:BLOCK [9] Packet invalid in connection (TCP
192.168.1.66-:43272->31.13.72.33:443 on ppp1)
221969.130000) lease for IP 192.168.1.67 renewed by host Unknown-
00:25:00:b7:35:f6-2 (MAC 00:25:00:b7:35:f6). lease duration:1440 min
(1221969.130000} Devicconnected: Hostname·:Unknowwoo·:25:00:b7 35:f6-2
IP: 192.168.1.67 MAC: 00:25:00:b7:35:f6 Lease time: 1440 min. Unk rate: 54.0
Mbps
(1221969.070000) Lease requested
wlanO: STA 00:25:00:b7:35:f6 IEEE 802.11:Client associated
(1220365.290000) Device disconnected: Hostname:Unknown-
00:25:00:b7:35:f6-2 IP: 192.168.1.67 MAC: 00:25:00:b7:35:f6 wlanOTA 00:25:00:b7:35:f6 IEEE 802.11:Client disassociated
(1220348.230000) Lease for IP 192.168.1.67 renewed by host Unlmown-
00:25:00:b7:35:f6-2 (MAC 00:25:00:b7:35:f6).lease duration: 1440 min
(1220348.230000) Device connected: Hostname:Unknown-00:25:00:b7:35:f6-2
IP: 192.168.1.67 MAC: 00:25:00:b7:35:f6 Lease time: 1440 min. Unk rate: 54.0
Mbps
(1220348.170000) lease requested
wlanOTA 00:25:00:b7:35:f6 IEEE 802.11:Client associated
IN: BLOCK f16] Remote administration (TCP
123.151.42.61:12233->86.182.228.205:8080 on ppp1) OUT: BLOCK [9] Packet invalid in connection (TCP
:t92.Hi8.1.66:53813->31.13.72.33:443 on ppp1)
OUT:BLOCK [9] Packet invalid in connection (TCP
192.168.1.66:43989->31.13.72.33:443 on ppp1)
IN: BLOCK [16] Remote administration (ICMP type 8 rode 0
2.7.251.109.227->86.182.228.205 on pppl)
(1216770.650000) Device disconnected:Hostname:Unknown-
00:25:00:b7:35:f6-2 IP: 192.168.1.67 MAC: 00:25:00:b7:35:f6
OUT:BLOCK [9j Packet invalid in connection (TCF
192.168.1.67:49180->74.125.136.109:993 on ppp1)
wlanOTA 00:25:00:b7:35:f6 IEEE 802.11:Client disassociated
(1216753.280000) Lease for IP 192.168.1.67 renewed by host Unknown-
00:25:00:b7:35:f6-2 (MAC 00:25:00:b7:35:f6). lease duration:1440 min
(1216753.270000) Device connected: Hostname: Unknown-00:25:00:b7:35:f6-2
IP: 192.168.1.67 MAC: 00:25.:00-:.b7.:35:f6 Lease time: 1440 min. Unk rate: 54.0
Mbps
(1216753.220000) lease requested
wlanO: STA 00:25:00:b7:35:f6 IEEE 802.11:Client assodat
OUT: BLOCK [9] Packet invalid in connection (TCP
192.168.1.66:55944->23.21.78.229:443 on ppp1)
OUT: BLOCK [9J Packet invafid in connection (TCP
192.168.1.66:34794->31.13.72.33:443 on ppp1)
OUT:BLOCK [9] Packet invalid in connection (TCP
192.168.1.66:41441->31.13.72.33:443 on ppp1)
{1213176.020000) Device disconnected:.Hostname:Unknown-
00:25:00:b7:35:f6-2 IP: 192.168.1.67 MAC:00:25:00:b7:35:f6 wlanO: STA 00:25:00:b7:35:f6 IEEE 802.11: Client disassociated
(1213158.410000) Lease for IP 192.168.1.67 renewed by host Unknown-
00:25:00:b7:35:f6-2 (MAC 00:25:00:b7:35:f6). lease duration:1440 min _./:\ (1213158.400000) Device connected:Hostname:Unknown-00:25:00:b7:35:ftt.Y IP: 192.168.1.67 MAC: 00:25:00:b7:35:f6 Lease time: 1440 min.Unk rate: 54.0
Mbps
(1213158.340000) Lease requested
wlanO: STA 00:25:00:b7:35:f6 IEEE 802.11: Client associated
OUT:BLOCK (9] Packet invalid in connection (TCP
192.168.1.66:59767->176.34.180.243:443 on ppp1) OUT;BLOCK [9] P.acket invalid in connection {TCP
192.168.1.66:56075->31.13.72.33:443 on ppp1) OUT: BLOCK [9] Packet invalid in connection (TCP
192.168.1.66 581:1:0->31.13.72.33:443 on ppp1)
BL.OCKED 2 more packets (because of Packet invalid in connection) OUT:BLOCK [9] Packet invalid in connection (TCP
192.168.1.66:56251->31.13.72.33:443 on ppp1)
OUT:BLOCK [9] Packet invalid in connection (TCP
192.168.1.66:36959->31.13.72.33:443 on ppp1)
BlOCKED 1more packets (because of Packet invalid in connection)It could be that the Ipod touch is having problems with both the 2.4GHz and 5GHz frequencies being named the same. If you give them separate SSids it may help. ie add a 5 to the 5GHz SSid.
If you do this you will need to re-connect all your devices that can see both frequencies to both SSids so that they will swap between the frequencies seamlessly when ever they need to
See link how to change SSid.
http://bt.custhelp.com/app/answers/detail/a_id/44504/related/1/session/L2F2LzEvdGltZS8xMzc1OTY2ODIxL...
Once you have changed the SSid I would delete the network connection on the Ipod touch and start again. -
Script to Export Pervious Day Events Logs to CSV
HI,
I am trying to export all the previous day's application event logs to a CSV file. I found the following script on net. But for this script to work I need to enter in the Event ID's I wont to export. Does anyone have any idea how I can change thsi script
to export all event ID's or have another script that can?
'Description : This script queries the event log for...whatever you want it to! Just set the event 'log name and event ID's!
'Initialization Section
Option Explicit
Const ForReading = 1
Const ForWriting = 2
Const ForAppending = 8
Dim objDictionary, objFSO, wshShell, wshNetwork
Dim scriptBaseName, scriptPath, scriptLogPath
Dim ipAddress, macAddress, item, messageType, message
On Error Resume Next
Set objDictionary = NewDictionary
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set wshShell = CreateObject("Wscript.Shell")
Set wshNetwork = CreateObject("Wscript.Network")
scriptBaseName = objFSO.GetBaseName(Wscript.ScriptFullName)
scriptPath = objFSO.GetFile(Wscript.ScriptFullName).ParentFolder.Path
scriptLogPath = scriptPath & "\" & IsoDateString(Now)
If Err.Number <> 0 Then
Wscript.Quit
End If
On Error Goto 0
'Main Processing Section
On Error Resume Next
PromptScriptStart
ProcessScript
If Err.Number <> 0 Then
MsgBox BuildError("Processing Script"), vbCritical, scriptBaseName
Wscript.Quit
End If
PromptScriptEnd
On Error Goto 0
'Functions Processing Section
'Name : ProcessScript -> Primary Function that controls all other script processing.
'Parameters : None ->
'Return : None ->
Function ProcessScript
Dim hostName, logName, startDateTime, endDateTime
Dim events, eventNumbers, i
hostName = wshNetwork.ComputerName
logName = "application"
eventNumbers = Array("1001","1")
startDateTime = DateAdd("n", -21600, Now)
'Query the event log for the eventID's within the specified event log name and date range.
If Not QueryEventLog(events, hostName, logName, eventNumbers, startDateTime) Then
Exit Function
End If
'Log the scripts results to the scripts
For i = 0 To UBound(events)
LogMessage events(i)
Next
End Function
'Name : QueryEventLog -> Primary Function that controls all other script processing.
'Parameters : results -> Input/Output : Variable assigned to an array of results from querying the event log.
' : hostName -> String containing the hostName of the system to query the event log on.
' : logName -> String containing the name of the Event Log to query on the system.
' : eventNumbers -> Array containing the EventID's (eventCode) to search for within the event log.
' : startDateTime -> Date\Time containing the date to finish searching at.
' : minutes -> Integer containing the number of minutes to subtract from the startDate to begin the search.
'Return : QueryEventLog -> Returns True if the event log was successfully queried otherwise returns False.
Function QueryEventLog(results, hostName, logName, eventNumbers, startDateTime)
Dim wmiDateTime, wmi, query, eventItems, eventItem
Dim timeWritten, eventDate, eventTime, description
Dim eventsDict, eventInfo, errorCount, i
QueryEventLog = False
errorCount = 0
If Not IsArray(eventNumbers) Then
eventNumbers = Array(eventNumbers)
End If
'Construct part of the WMI Query to account for searching multiple eventID's
query = "Select * from Win32_NTLogEvent Where Logfile = " & SQ(logName) & " And (EventCode = "
For i = 0 To UBound(eventNumbers)
query = query & SQ(eventNumbers(i)) & " Or EventCode = "
Next
On Error Resume Next
Set eventsDict = NewDictionary
If Err.Number <> 0 Then
LogError "Creating Dictionary Object"
Exit Function
End If
Set wmi = GetObject("winmgmts:{impersonationLevel=impersonate,(Security)}!\\" & hostName & "\root\cimv2")
If Err.Number <> 0 Then
LogError "Creating WMI Object to connect to " & DQ(hostName)
Exit Function
End If
'Create the "SWbemDateTime" Object for converting WMI Date formats. Supported in Windows Server 2003 & Windows XP.
Set wmiDateTime = CreateObject("WbemScripting.SWbemDateTime")
If Err.Number <> 0 Then
LogError "Creating " & DQ("WbemScripting.SWbemDateTime") & " object"
Exit Function
End If
'Build the WQL query and execute it.
wmiDateTime.SetVarDate startDateTime, True
query = Left(query, InStrRev(query, "'")) & ") And (TimeWritten >= " & SQ(wmiDateTime.Value) & ")"
Set eventItems = wmi.ExecQuery(query)
If Err.Number <> 0 Then
LogError "Executing WMI Query " & DQ(query)
Exit Function
End If
'Convert the property values of Each event found to a comma seperated string and add it to the dictionary.
For Each eventItem In eventItems
Do
timeWritten = ""
eventDate = ""
eventTime = ""
eventInfo = ""
timeWritten = ConvertWMIDateTime(eventItem.TimeWritten)
eventDate = FormatDateTime(timeWritten, vbShortDate)
eventTime = FormatDateTime(timeWritten, vbLongTime)
eventInfo = eventDate &
eventInfo = eventInfo & eventTime & ","
eventInfo = eventInfo & eventItem.SourceName & ","
eventInfo = eventInfo & eventItem.Type & ","
eventInfo = eventInfo & eventItem.Category & ","
eventInfo = eventInfo & eventItem.EventCode & ","
eventInfo = eventInfo & eventItem.User & ","
eventInfo = eventInfo & eventItem.ComputerName & ","
description = eventItem.Message
'Ensure the event description is not blank.
If IsNull(description) Then
description = "The event description cannot be found."
End If
description = Replace(description, vbCrLf, " ")
eventInfo = eventInfo & description
'Check if any errors occurred enumerating the event Information
If Err.Number <> 0 Then
LogError "Enumerating Event Properties from the " & DQ(logName) & " event log on " & DQ(hostName)
errorCount = errorCount + 1
Err.Clear
Exit Do
End If
'Remove all Tabs and spaces.
eventInfo = Trim(Replace(eventInfo, vbTab, " "))
Do While InStr(1, eventInfo, " ", vbTextCompare) <> 0
eventInfo = Replace(eventInfo, " ", " ")
Loop
'Add the Event Information to the Dictionary object if it doesn't exist.
If Not eventsDict.Exists(eventInfo) Then
eventsDict(eventsDict.Count) = eventInfo
End If
Loop Until True
Next
On Error Goto 0
If errorCount <> 0 Then
Exit Function
End If
results = eventsDict.Items
QueryEventLog = True
End Function
'Name : ConvertWMIDateTime -> Converts a WMI Date Time String into a String that can be formatted as a valid Date Time.
'Parameters : wmiDateTimeString -> String containing a WMI Date Time String.
'Return : ConvertWMIDateTime -> Returns a valid Date Time String otherwise returns a Blank String.
Function ConvertWMIDateTime(wmiDateTimeString)
Dim integerValues, i
'Ensure the wmiDateTimeString contains a "+" or "-" character. If it doesn't it is not a valid WMI date time so exit.
If InStr(1, wmiDateTimeString, "+", vbTextCompare) = 0 And _
InStr(1, wmiDateTimeString, "-", vbTextCompare) = 0 Then
ConvertWMIDateTime = ""
Exit Function
End If
'Replace any "." or "+" or "-" characters in the wmiDateTimeString and check each character is a valid integer.
integerValues = Replace(Replace(Replace(wmiDateTimeString, ".", ""), "+", ""), "-", "")
For i = 1 To Len(integerValues)
If Not IsNumeric(Mid(integerValues, i, 1)) Then
ConvertWMIDateTime = ""
Exit Function
End If
Next
'Convert the WMI Date Time string to a String that can be formatted as a valid Date Time value.
ConvertWMIDateTime = CDate(Mid(wmiDateTimeString, 5, 2) & "/" & _
Mid(wmiDateTimeString, 7, 2) & "/" & Left(wmiDateTimeString,
4) & " " & _
Mid(wmiDateTimeString, 9, 2) & ":" & _
Mid(wmiDateTimeString, 11, 2) & ":" & _
Mid(wmiDateTimeString, 13, 2))
End Function
'Name : NewDictionary -> Creates a new dictionary object.
'Parameters : None ->
'Return : NewDictionary -> Returns a dictionary object.
Function NewDictionary
Dim dict
Set dict = CreateObject("scripting.Dictionary")
dict.CompareMode = vbTextCompare
Set NewDictionary = dict
End Function
'Name : SQ -> Places single quotes around a string
'Parameters : stringValue -> String containing the value to place single quotes around
'Return : SQ -> Returns a single quoted string
Function SQ(ByVal stringValue)
If VarType(stringValue) = vbString Then
SQ = "'" & stringValue & "'"
End If
End Function
'Name : DQ -> Place double quotes around a string and replace double quotes
' : -> within the string with pairs of double quotes.
'Parameters : stringValue -> String value to be double quoted
'Return : DQ -> Double quoted string.
Function DQ (ByVal stringValue)
If stringValue <> "" Then
DQ = """" & Replace (stringValue, """", """""") & """"
Else
DQ = """"""
End If
End Function
'Name : IsoDateTimeString -> Generate an ISO date and time string from a date/time value.
'Parameters : dateValue -> Input date/time value.
'Return : IsoDateTimeString -> Date and time parts of the input value in "yyyy-mm-dd hh:mm:ss" format.
Function IsoDateTimeString(dateValue)
IsoDateTimeString = IsoDateString (dateValue) & " " & IsoTimeString (dateValue)
End Function
'Name : IsoDateString -> Generate an ISO date string from a date/time value.
'Parameters : dateValue -> Input date/time value.
'Return : IsoDateString -> Date part of the input value in "yyyy-mm-dd" format.
Function IsoDateString(dateValue)
If IsDate(dateValue) Then
IsoDateString = Right ("000" & Year (dateValue), 4) & "-" & _
Right ( "0" & Month (dateValue), 2) & "-" & _
Right ( "0" & Day (dateValue), 2)
Else
IsoDateString = "0000-00-00"
End If
End Function
'Name : IsoTimeString -> Generate an ISO time string from a date/time value.
'Parameters : dateValue -> Input date/time value.
'Return : IsoTimeString -> Time part of the input value in "hh:mm:ss" format.
Function IsoTimeString(dateValue)
If IsDate(dateValue) Then
IsoTimeString = Right ("0" & Hour (dateValue), 2) & ":" & _
Right ("0" & Minute (dateValue), 2) & ":" & _
Right ("0" & Second (dateValue), 2)
Else
IsoTimeString = "00:00:00"
End If
End Function
'Name : LogMessage -> Writes a message to a log file.
'Parameters : logPath -> String containing the full folder path and file name of the Log file without with file extension.
' : message -> String containing the message to include in the log message.
'Return : None ->
Function LogMessage(message)
If Not LogToCentralFile(scriptLogPath & ".csv", IsoDateTimeString(Now) & "," & message) Then
Exit Function
End If
End Function
'Name : LogError -> Writes an error message to a log file.
'Parameters : logPath -> String containing the full folder path and file name of the Log file without with file extension.
' : message -> String containing a description of the event that caused the error to occur.
'Return : None ->
Function LogError(message)
If Not LogToCentralFile(scriptLogPath & ".err", IsoDateTimeString(Now) & "," & BuildError(message)) Then
Exit Function
End If
End Function
'Name : BuildError -> Builds a string of information relating to the error object.
'Parameters: message -> String containnig the message that relates to the process that caused the error.
'Return : BuildError -> Returns a string relating to error object.
Function BuildError(message)
BuildError = "Error " & Err.Number & " (Hex " & Hex(Err.Number) & ") " & message & ". " & Err.Description
End Function
'Name : LogToCentralFile -> Attempts to Appends information to a central file.
'Parameters : logSpec -> Folder path, file name and extension of the central log file to append to.
' : message -> String to include in the central log file
'Return : LogToCentralFile -> Returns True if Successfull otherwise False.
Function LogToCentralFile(logSpec, message)
Dim attempts, objLogFile
LogToCentralFile = False
'Attempt to append to the central log file up to 10 times, as it may be locked by some other system.
attempts = 0
Do
On Error Resume Next
Set objLogFile = objFSO.OpenTextFile(logSpec, ForAppending, True)
If Err.Number = 0 Then
objLogFile.WriteLine message
objLogFile.Close
LogToCentralFile = True
Exit Function
End If
On Error Goto 0
Randomize
Wscript.sleep 1000 + Rnd * 100
attempts = attempts + 1
Loop Until attempts >= 10
End Function
'Name : PromptScriptStart -> Prompt when script starts.
'Parameters : None
'Return : None
Function PromptScriptStart
MsgBox "Now processing the " & DQ(Wscript.ScriptName) & " script.", vbInformation, scriptBaseName
End Function
'Name : PromptScriptEnd -> Prompt when script has completed.
'Parameters : None
'Return : None
Function PromptScriptEnd
MsgBox "The " & DQ(Wscript.ScriptName) & " script has completed successfully.", vbInformation, scriptBaseName
End Function
ThanksHere is a script that will copy the previous days events and save them to "C:\". The file name be yesterdays date ex "04-18-2010-Events.csv"
Const strComputer = "."
Dim objFSO, objWMIService, colEvents, objEvent, outFile
Dim dtmStartDate, dtmEndDate, DateToCheck, fileDate
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set dtmStartDate = CreateObject("WbemScripting.SWbemDateTime")
Set dtmEndDate = CreateObject("WbemScripting.SWbemDateTime")
'change the date form "/" to "-" so it can be used in the file name
fileDate = Replace(Date - 1,"/","-")
Set outFile = objFSO.CreateTextFile("C:\" & fileDate & "-Events.csv",True)
DateToCheck = Date - 1
dtmEndDate.SetVarDate Date, True
dtmStartDate.SetVarDate DateToCheck, True
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where TimeWritten >= '" _
& dtmStartDate & "' and TimeWritten < '" & dtmEndDate & "'")
For each objEvent in colEvents
outFile.WriteLine String(100,"-")
outFile.WriteLine "Category = " & objEvent.Category
outFile.WriteLine "ComputerName = " & objEvent.ComputerName
outFile.WriteLine "EventCode = " & objEvent.EventCode
outFile.WriteLine "Message = " & objEvent.Message
outFile.WriteLine "RecordNumber = " & objEvent.RecordNumber
outFile.WriteLine "SourceName = " & objEvent.SourceName
outFile.WriteLine "TimeWritten = " & objEvent.TimeWritten
outFile.WriteLine "Type = " & objEvent.Type
outFile.WriteLine "User = " & objEvent.User
outFile.WriteLine String(100,"-")
Next
outFile.Close
MsgBox "Finished!"
v/r LikeToCode....Mark the best replies as answers. -
Print document's name in Event Log ID #307 on Server 2012
Creating a new printer server using Windows Server 2012. Everything is working out fine so far, however I just ran into one problem that didn't happen in our Server 2008R2 print server.
When looking at print jobs that have completed under: event logs --> Microsoft --> Windows --> PrintService --Operational, I have noticed that Event ID 307 is not displaying the printed document's name in Server 2012 (it did for Server 2008R2).
In Server 2012, the document name simply displays as "Print Document" instead of displaying the document's name.
Anyone have any ideas on how to get the document's name to properly display in the event logs?
Thanks for any help.Hi Alan,
I have configured a Server 2012 R2 standard as print server to manage printers and Monitor the print usage of users, however I am not getting the Print logs (Event Log ID 307) in the default event logs directory on the print Server.
I perform some search and come to know that it’s a known problem in Server 2012 and there is Hotfix available. I installed the Hotfix mentioned here
http://support2.microsoft.com/kb/2938013/en-us , but still logs are not getting generated.
I also made the below setting for the logs.
Creating Registry entry
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows NT\Printers] "ShowJobTitleInEventLogs"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers] "ShowJobTitleInEventLogs"=dword:00000001
The policy name: Computer Configuration \ Administrative Templates \ Printers
Allow job name in event logs
Keep printed Docs setting is also enabled on all the printers installed on Print Server.
Noting seems to be working here or am i doing something wrong here.
Regards
Mukesh -
Version 6.84 produces many Event Logs
I have just updated from 6.83 to 6.84 and, although the software appears to be working fine, I am getting several events logged in the Application Event Log when my 6131 synchronises.
Event 1004
User NT AUTHORITY\NETWORK SERVICE
Detection of product '{A982E6CC-9F0D-4948-9B18-BDFD55DE4A72}', feature 'PCSuite', component '{9B373FD2-8E0A-4A76-80C7-63B6521FD237}' failed. The resource 'HKEY_CURRENT_USER\Software\Nokia\' does not exist.
Event 1001
User NT AUTHORITY\NETWORK SERVICE
Detection of product '{A982E6CC-9F0D-4948-9B18-BDFD55DE4A72}', feature 'Platform' failed during request for component '{7BA39C00-ED40-417C-8C5C-3804B2DDD646}'
Event 1004
User JSSOLUTIONS\John Smith
Detection of product '{A982E6CC-9F0D-4948-9B18-BDFD55DE4A72}', feature 'PCSuite', component '{9B373FD2-8E0A-4A76-80C7-63B6521FD237}' failed. The resource 'HKEY_CURRENT_USER\Software\Nokia\' does not exist.
Event 1001
User JSSOLUTIONS\John Smith
Detection of product '{A982E6CC-9F0D-4948-9B18-BDFD55DE4A72}', feature 'Platform' failed during request for component '{7BA39C00-ED40-417C-8C5C-3804B2DDD646}'
These 4 Event Log entries are repeated 3 more times.
I have tried uninstalling and reinstalling but to no avail.
I have checked the Registry and HKEY_CURRENT_USER\Software\Nokia\ does exist.
I have tried adding premissions to this key for NETWORK SERVICE (John Smith already has full premissions) again to no avail.
I am running version 6.84.10.3 of PC Suite and Windows XP Professional SP2.
Whilst this is not a big issue as the software appears to be working fine, I do like to keep clear Event Logs so would appreciate any help in getting rid of these annoying entries.
Many thanks.Hi,
I tried to follow the post of miksu and patched with 6.84.10.4 but still the same problems...
/discussions/board/message?board.id=pcsuite&message.id=19801
So, like Jssolutions I reinstalled a previous version of Nokia PC Suite (v6.83.14.1). It works fine now... no more Event Logs
This former version can be downloaded on http://nds1.nokia.com/files/support/global/phones/software/Nokia_PC_Suite_683_rel_14_1_eng_web.exeMessage Edited by rabbyn on 23-Sep-200706:44 PM -
Hi,
We are receiving several eventids '26007' from the OpsMgr log on our Domain Controllers, also eventids '26008' with similar description are logged
The EventLog service reported that the Security event log on computer '<Domain Controller Computer>' is corrupt. The Windows Event Log Provider will attempt to recover by re-opening log.
I'll appreciate any suggestion in order to solve this issue.
Regards.I guess this issue is caused by event ID 4661 is corrupted in security event log.
Please check if you have many 4661 events in security event log and XML view cannot be viewed.
Running the below command on DC will disable the auditing of the SAM Object access. This should stop the Event ID 4661 from being logged which should stop the Alert regarding corrupt Event log:
auditpol /set /subcategory:"SAM" /success:disable /failure:disable
Regards, -
Event log - Schannel Event ID 36888
Hi
I did a migration from SBS 2003 to SBS 2011 and all went smoothly. After migration I started to notice these errors popping up in the system log.
Schannel Event ID 36888 :"the following fatal alert was generated: 10. The internal error state is 1203."
I have scoured the forums and tried everything I could, from upgrading the sharepoint to checking exchange. It is not affecting the server performance in any noticeable manner but it is filling up the logs and I would rather know what is causing this other
then just suppressing the log?
It could be something mayor that I am missingHi Jean H. Marais,
Just additional. This error (Event ID 36888) occurs if a user tries to access a web site using HTTP but specifies
an SSL port in the URL. The internal error state 1203 indicates invalid ClientHello from the client.
Please refer to the similar thread and check if can help you.
Schannel error, Event ID 36888? - IS there a way to Identify what causes Schannel to log error?
http://social.technet.microsoft.com/Forums/windowsserver/en-US/4c5430f5-43f6-41b4-97d3-03cfb3efa70b/schannel-error-event-id-36888-is-there-a-way-to-identify-what-causes-schannel-to-log-error?forum=winserverDS
Regarding to enable/disable Schannel event logging in IIS, please refer to the next KB.
How to enable Schannel event logging in IIS
Hope this helps.
Best regards,
Justin Gu -
"Event Viewer cannot open the event Log or Custom view. Verify that the Event log service is running or query is too long. The instance name passed was not recognized as valid by a WMI data provider(4201)"
This error keeps cropping up now and again on most of our domain controllers (OS-2008 AND 2008R2)...Usually a restart fixes the issue however the issue repeats and security logs don't generate.
Any advice on how to fix this issue permanently would be greatly appreciated.Please see this: https://social.technet.microsoft.com/Forums/windows/en-US/95987ca3-a1b2-4da6-95b7-d825d06cdac7/error-code-4201-the-instance-name-passed-was-not-recognized-as-valid-by-a-wmi-data-provider?forum=w7itprosecurity
You can also try rebuilding the WMI repository: http://blogs.technet.com/b/askperf/archive/2009/04/13/wmi-rebuilding-the-wmi-repository.aspx
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile -
I have troubles with my XML query. It returns to many results and double results.
My code
select xmlelement("test", XMLAgg(xmlelement("Customer", XmlAttributes(a.CUSTOMER_ID "cid"))),
XMLAgg(xmlelement("Account", xmlagg(xmlelement("Account", b.ACCOUNT_ID) ))),
XMLAgg(xmlelement("ServicePoint", xmlagg(xmlelement("sp", c.SPID) ))) ).extract('*').getstringval() xml
From DM_SERVICE_POINT c, DM_CUSTOMER a, DM_ACCOUNT b where a.CUSTOMER_ID = b.CUSTOMER_ID And a.CUSTOMER_ID=c.CUSTOMER_ID AND a.CUSTOMER_ID='15058'
group by a.CUSTOMER_ID
i have 1 customer id in the table dm_customer, 2 account_id 's that are linked to customer_id with a FK. DM_Servicepoint contains 6 rows that are linked to dm_customer with a FK.
My result is 1 result for customer, thats correct but account shows 12 results, where i expect 2 results
and Service point shows also 12 records where i expect 6 records.
There is no direct link between account and service point but both are linked to customer. Each customer can have 1 or 2 account And each customer can have 1 or many servicepoints.
Can you help me?
Message was edited by:
MarindaNow to see whether we can get this to work with XML....Turns out it's a lot easier than I thought it would be:
SQL> select dbms_xmlgen.getxml('select c.name
2 , cursor(select a.acctno, a.name
3 from my_accounts a
4 where a.cust_id = c.id ) as accounts
5 , cursor(select s.sp_ref
6 from my_service_points s
7 where s.cust_id = c.id ) as srv_points
8 from my_customers c
9 ') from dual
10 /
DBMS_XMLGEN.GETXML('SELECTC.NAME,CURSOR(SELECTA.ACCTNO,A.NAMEFROMMY_ACCOUNTSAWHE
<?xml version="1.0"?>
<ROWSET>
<ROW>
<NAME>APC</NAME>
<ACCOUNTS>
<ACCOUNTS_ROW>
<ACCTNO>900000</ACCTNO>
<NAME>No1 a/c</NAME>
</ACCOUNTS_ROW>
<ACCOUNTS_ROW>
<ACCTNO>900002</ACCTNO>
<NAME>Business</NAME>
</ACCOUNTS_ROW>
</ACCOUNTS>
<SRV_POINTS>
<SRV_POINTS_ROW>
<SP_REF>SP1</SP_REF>
</SRV_POINTS_ROW>
<SRV_POINTS_ROW>
<SP_REF>SP2</SP_REF>
</SRV_POINTS_ROW>
<SRV_POINTS_ROW>
<SP_REF>SP3</SP_REF>
</SRV_POINTS_ROW>
<SRV_POINTS_ROW>
<SP_REF>SP4</SP_REF>
</SRV_POINTS_ROW>
<SRV_POINTS_ROW>
<SP_REF>SP5</SP_REF>
</SRV_POINTS_ROW>
<SRV_POINTS_ROW>
<SP_REF>SP6</SP_REF>
</SRV_POINTS_ROW>
</SRV_POINTS>
</ROW>
<ROW>
<NAME>MARINDA</NAME>
<ACCOUNTS>
<ACCOUNTS_ROW>
<ACCTNO>900004</ACCTNO>
<NAME>Checking</NAME>
</ACCOUNTS_ROW>
</ACCOUNTS>
<SRV_POINTS>
<SRV_POINTS_ROW>
<SP_REF>SP7</SP_REF>
</SRV_POINTS_ROW>
<SRV_POINTS_ROW>
<SP_REF>SP8</SP_REF>
</SRV_POINTS_ROW>
</SRV_POINTS>
</ROW>
</ROWSET>
SQL> Obviously you'll need to do some smartening up of the tag names.
Cheers, APC
Blog : http://radiofreetooting.blogspot.com/ -
Event Log Help Links No Longer Working?
Have the help links in the Windows XP event log entries been discontinued?
They used to open up the Help and Support Center with further information about the Event Log error if it was available.
For some time now they have all just given a "page not found" error, which then re-directs to Bing with offered results that are no use at all!
This happens now on every XP system I've tried it on.
As a user of Windows 8.1 as well as XP, I'm well aware that the Windows 8 Event Log help links have never worked so far, but the XP ones always did, and despite the looming "End of Support" I can see no reason for all that information to have been
removed.
Any explanation for this?
Thanks, Dave Hawley.Hi - thank you DaveHawley for the report. Just wanted to confirm that I've passed this on to the team that looks after the redirect service behind the "More Info" link.
There have been some major changes in how this redirection works over the years as well as in the last months. The most recent efforts added the option to enable use of the TechNet Wiki [sample]
to allow the community to comment & contribute for a given component. I'm only guessing here, but this might have accidentally impacted XP.
Thanks
Bruno -
Oracle 10g XE Event Logs - Please help
I'm running 10g XE on a Virtual 2003 Server. My Applicatin Event Logs the following events. I will get up to 20 events per minutes. I have posted the event description. Please advise. Thank you,
The description for Event ID ( 5 ) in Source ( Oracle.xe ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: QMNC, xe.
The description for Event ID ( 16 ) in Source ( Oracle.xe ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: xe.
The description for Event ID ( 34 ) in Source ( Oracle.xe ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: ACTION : 'CONNECT' DATABASE USER: '/' PRIVILEGE : SYSDBA CLIENT USER: NT AUTHORITY\SYSTEM CLIENT TERMINAL: [Server FQDN stated in this area]: 0 .Hi Jab
The last event is something Oracle logs per default. Every time someone logs in with sysdba privileges, it is logged to the event log. Read more in the manual
Security guide, chapter 8
Try to check the parameter
AUDIT_TRAIL
in the database
show parameter AUDIT_TRAIL
If it is set to OS and you have enabled auditing, then more events are written to the event log.
Best wishes,
Kennie
The description for Event ID ( 34 ) in Source ( Oracle.xe ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: ACTION : 'CONNECT' DATABASE USER: '/' PRIVILEGE : SYSDBA CLIENT USER: NT AUTHORITY\SYSTEM CLIENT TERMINAL: Server FQDN stated in this area: 0 . -
Custom event log is not working in SharePoint server
Hi ,
We are trying to implement event logging in our application. We have created separate event source for our application. When we testing this our local dev machine it is working without any problem. when I try to test the same in higher environment (QA, Pre-prod)
it is not working. The QA environment is a multi form server. We are able to see the event source in the event viewer, but the logging is not happening. We have tried restarting IIS, restarting the services.
Any suggestion or guidance will be highly appreciated.
Thanks in AdvanceLogging should use the SharePoint Unified Logging Services (ULS) infrastructure.
Logging to the Event Viewer requires ADMIN PERMISSION... which is why it works fine in DEV, and not in TEST/PROD.
DO NOT LOG TO THE EVENT VIEWER... OR USE ANY OTHER HOME GROWN CONCOCTION... USE THE LOGGING FRAMEWORK PROVIDED BY THE PLATFORM.
This may help: http://www.sbrickey.com/Tech/Blog/Post/Custom_Logging_in_SharePoint_2010
Scott Brickey
MCTS, MCPD, MCITP
www.sbrickey.com
Strategic Data Systems - for all your SharePoint needs -
Creating a Custom Event Log View Shortcut on a server desktop for an admin
Good morning,
We have a new admin starting and I would like to create custom event log view shortcut on there desktop for each server they need to check. Is there a way to do this in Server 2012 and Server 2008?
I have figured out how to create a shortcut of the Application and System log, but not Custom Views. Thanks.Hi,
Based on my research, you can create a custom view like
this.However, I tried miltiple ways to create a shortcut of the custom view of the event viewer and no result. I can only create a shortcut of the event viewer. You may need a script can achieve that.
Best regards,
Susie
Maybe you are looking for
-
Hi Experts, How to hide some columns in some ALV report. Regards, Kali Pramod
-
How to display F4 values in one field based on other field selection
Hi All, How to hide a UI element (i.e Link to action) highlited for Normal User and display the same to super user. Component Name : /SAPSRM/WDC_DODC_SC_GAF_C 2.Can i know how to display the entries in supplier field based on Product category select
-
Create a vendor bank account by BAPI with LFBK
Hi forum Someone knows how to create a vendor bank account by BAPI ? with data from LFBK thnks Josué Cruz
-
Change of Costing Sheet Assignment
Dear Experts, We have assigned costing sheet to valuation variant and valuation variant is assigned to costing variant. This costing variant is assigned to order type for production orders. Now we have created new costing sheet and assigned to valuat
-
HT3965 How do I change the ID that shows on other people's phones when I call from my iPhone five
How do I change ID that shows on other people's phones when I call from my iPhone5?