Consider the following scenario:
- You create an event subscription on a server that is running Windows Server 2008.
- The event subscription collects events from a server that is running Windows Server 2003.
- A custom filter is defined on a date/time value such as System Time.
In this scenario, the event subscription does not collect the events. This includes events that occur in real time.
This issue occurs because the custom filter that collects events does not work for a server that is running Windows Server 2003. The Wevtfwd plug-in in Windows Server 2003 uses MSXML to apply the XPATH query to the event. Therefore, MSXML is used to select the event or to reject the event.
Additionally, MSXML 6.0 is used to parse the event. MSXML 6.0 does not support either the TIMEDFF
function or string comparison by using the "<=" and ">=" constructs. Therefore, the parser rejects the query when the query contains these constructs. This behavior prevents the event from being forwarded to the event subscription.
To resolve this problem so that these kinds of queries function correctly, upgrade the source server to Windows Server 2008.