XPath Query in Event Viewer

  • Thread starter Thread starter Dave Lawlor
  • Start date Start date
D

Dave Lawlor

I am trying to do a query to bring back only records that have a IP address
from the event data:

EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DAVE-PC$</Data>
<Data Name="SubjectDomainName">WORKGROUP</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TargetUserSid">S-1-5-18</Data>
<Data Name="TargetUserName">SYSTEM</Data>
<Data Name="TargetDomainName">NT AUTHORITY</Data>
<Data Name="TargetLogonId">0x3e7</Data>
<Data Name="LogonType">5</Data>
<Data Name="LogonProcessName">Advapi</Data>
<Data Name="AuthenticationPackageName">Negotiate</Data>
<Data Name="WorkstationName" />
<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x2ac</Data>
<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
<Data Name="IpAddress">192.168.11.4</Data>
<Data Name="IpPort">3284</Data>
</EventData>


It might be different IP's so I need it to pickup a string is there. Any
ideas?

Thanks,
Dave
 
I have narrowed the query down to the following:

<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[(EventID=4624)] and
EventData[(Data[@Name="IpAddress"])]]</Select>
</Query>
</QueryList>


but I cant seem to be able to query the data in the IpAddress field. I was
thinking setting up a wildcard for the different IPs that could be there,
but then I thought about using the <Supress> to remove any events that only
show "-" for IPAddress.

The best documentation I have been able to find is at:
http://msdn.microsoft.com/en-us/libr...31(VS.85).aspx but even that is
pretty sparse.

Anyone have any better idea on how to query for the additional information
in that field for either a wildcard or a supress operation?

Thanks,
Dave
 
I was able to finally narrow a query down that worked with the help of Phil
Fearon over on the Technet Forums.

The following query will filter for the event 4624, but supress any records
without a IP address:

<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[(EventID=4624)]]</Select>
<Suppress Path="Security">*[EventData[Data[@Name="IpAddress"] = "-"
]]</Suppress>
</Query>
</QueryList>

Thanks Phil!
 
Back
Top