XPath Query in Event Viewer

06-07-2008

I am trying to do a query to bring back only records that have a IP address
from the event data:

EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DAVE-PC$</Data>
<Data Name="SubjectDomainName">WORKGROUP</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TargetUserSid">S-1-5-18</Data>
<Data Name="TargetUserName">SYSTEM</Data>
<Data Name="TargetDomainName">NT AUTHORITY</Data>
<Data Name="TargetLogonId">0x3e7</Data>
<Data Name="LogonType">5</Data>
<Data Name="LogonProcessName">Advapi</Data>
<Data Name="AuthenticationPackageName">Negotiate</Data>
<Data Name="WorkstationName" />
<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x2ac</Data>
<Data Name="ProcessName">C:\Windows\System32\services.ex e</Data>
<Data Name="IpAddress">192.168.11.4</Data>
<Data Name="IpPort">3284</Data>
</EventData>

It might be different IP's so I need it to pickup a string is there. Any
ideas?

Thanks,
Dave

06-11-2008

I have narrowed the query down to the following:

<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[(EventID=4624)] and
EventData[(Data[@Name="IpAddress"])]]</Select>
</Query>
</QueryList>

but I cant seem to be able to query the data in the IpAddress field. I was
thinking setting up a wildcard for the different IPs that could be there,
but then I thought about using the <Supress> to remove any events that only
show "-" for IPAddress.

The best documentation I have been able to find is at:
http://msdn.microsoft.com/en-us/libr...31(VS.85).aspx but even that is
pretty sparse.

Anyone have any better idea on how to query for the additional information
in that field for either a wildcard or a supress operation?

Thanks,
Dave

06-13-2008

I was able to finally narrow a query down that worked with the help of Phil
Fearon over on the Technet Forums.

The following query will filter for the event 4624, but supress any records
without a IP address:

<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[(EventID=4624)]]</Select>
<Suppress Path="Security">*[EventData[Data[@Name="IpAddress"] = "-"
]]</Suppress>
</Query>
</QueryList>

Thanks Phil!

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
event viewer	hitmanout2007	Windows Vista Performance	2	04-17-2008 08:51 AM
Event Viewer bug?	Neil Harley	Windows Vista General Discussion	8	05-04-2007 02:42 AM
Event Viewer	blade0r	Windows Vista General Discussion	0	04-10-2007 08:56 PM
BUG: a lot of errors "Event ID 6003 winlogon" in Event Viewer	BillD	Windows Vista General Discussion	1	03-28-2007 03:39 PM
Event Viewer	Peter Duphilly	Windows Vista Performance	2	01-27-2007 02:56 AM