CODE – Windows event viewer CUSTOM XML FILTER

Posted: 20 Kasım 2013 in Uncategorized

If you want to run an advanced filter in Windows Event Viewer you will need to know a little bit of XPath 1.0, If you have used SQL 2005/2008 and XML fields, this should be as easy as 123. If not, here is some examples I have put together.

In this example I am currently filtering the Security Tab, Date Range of December 1 2009 to December 18 2008, I have the TargetUserSid and Workstation Name

     *[System[
         (Level=4 or Level=0 or Level=5) 
            and (EventID=4624) 
            and TimeCreated[@SystemTime>='2009-12-01T15:34.000Z' and @SystemTime@lt;='2009-12-18T15:34:34.999Z']
            ]
        ]
       and
        *[EventData[Data[@Name='TargetUserSid']
                and(Data='S-1-5-21-1261577687-3656830202-1507140918-1131')
         ]
        and
        *[EventData[Data[@Name='WorkstationName']
               and(Data='computerName.domain.local')
        ]





     *[System[
         (Level=4 or Level=0 or Level=5) 
            and (EventID=4624) 
            and TimeCreated[@SystemTime>='2009-12-01T15:34.000Z' and @SystemTime@lt;='2009-12-18T15:34:34.999Z']
            ]
        ]
       and
        *[EventData[Data[@Name='TargetUserSid']
                and(Data='S-1-5-21-1261577687-3656830202-1507140918-1131')
         ]
        and
        *[EventData[Data[@Name='WorkstationName']
               and(Data='computerName.domain.local')
        ]





     *[System[
         (Level=4 or Level=0 or Level=5) 
            and (EventID=4624) 
            and TimeCreated[@SystemTime>='2009-12-01T15:34.000Z' and @SystemTime@lt;='2009-12-18T15:34:34.999Z']
            ]
        ]
       and
        *[EventData[Data[@Name='TargetUserSid']
                and(Data='S-1-5-21-1261577687-3656830202-1507140918-1131')
         ]
        and
        *[EventData[Data[@Name='WorkstationName']
               and(Data='computerName.domain.local')
        ]

nder Security > EventData you can filter these options.

SubjectUserSid
SubjectUserName
SubjectDomainName
SubjectLogonId
TargetUserSid
TargetUserName
TargetDomainName
TargetLogonId
LogonType
LogonProcessName
AuthenticationPackageName
WorkstationName
LogonGuid
TransmittedServices
LmPackageName
KeyLength
ProcessId
ProcessName
IpAddress
IpPort
As simple as

?
1
and *[EventData[Data[@Name=’YOUROPTION’]and(Data=’YOURVALUE’)]]

As simple as

?
1
and *[EventData[Data[@Name=’YOUROPTION’]and(Data=’YOURVALUE’)]]

Here are examples of simple custom filters in Windows Event Log:

Select all events in the Security Event Log where the account name involved (TargetUserName) is “JUser”

?
1
*[EventData[Data[@Name=”TargetUserName”] and (Data=”JUser”)]]

Select all events in the Security Event Log where the string “JUser” is present as data anywhere in the EventData section

?
1
*[EventData[Data and (Data=”JUser”)]]

Select all events in the Security Event Log where the strings “JUser” or “JDoe” are present as data anywhere in the EventData section

?
1
*[EventData[Data and (Data=”JUser” or Data=”JDoe”)]]

Select all events in the Security Event Log where the string “JUser” is present as data anywhere in the EventData section and the Event ID is “4471”

?
1
*[System[(EventID=”4771″)]] and *[EventData[Data and (Data=”JUser”)]]

Bir Cevap Yazın

Aşağıya bilgilerinizi girin veya oturum açmak için bir simgeye tıklayın:

WordPress.com Logosu

WordPress.com hesabınızı kullanarak yorum yapıyorsunuz. Log Out / Değiştir )

Twitter resmi

Twitter hesabınızı kullanarak yorum yapıyorsunuz. Log Out / Değiştir )

Facebook fotoğrafı

Facebook hesabınızı kullanarak yorum yapıyorsunuz. Log Out / Değiştir )

Google+ fotoğrafı

Google+ hesabınızı kullanarak yorum yapıyorsunuz. Log Out / Değiştir )

Connecting to %s