Zoho Banner September 2011

If you’ve spent some time with Vista or Windows Server 2008 you’ll have noticed that there are some fundamental changes to the event viewer.  One of the changes is in the way in which event logs can be filtered.  In addition to the point-and-click filter selection you can now also enter an xpath query by accessing the XML tab (see screenshots below).  This gives you the ability to filter using a much wider range of criteria.  Basically, you can search using anything that is presented in the list of XML values.

event_filtering1.JPG

-

event_filtering2.JPG

The xpath queries take a bit of getting used to and as yet there don’t appear to be many publicly available examples.  Here are a few to get you started. This query searches the Security Event log for 4624 events that include a TargetUsername of “User1″ and corresponding to a logon type of “2″ (interactive). 

<QueryList>
  <Query Id=”0″ Path=”Security”>
    <Select Path=”Security”>*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4624)] and EventData[Data[@Name='TargetUserName']=’User1′] and EventData[Data[@Name='LogonType']=’2′]]</Select>
  </Query>
</QueryList>

The query below also looks for 4624 events, but this time for those that include a WorkstationName of “Workstation1″ and a logon type of “3″ (network). 

<QueryList>
  <Query Id=”0″ Path=”Security”>
    <Select Path=”Security”>*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4624)] and EventData[Data[@Name='WorkstationName']=’Workstation1′] and EventData[Data[@Name='LogonType']=’3′]]</Select>
  </Query>
</QueryList>

Even though Xpath can appear a little daunting at first it is worth spending a bit of time with as it’s potentially quite powerful.  As with Powershell it is something that is likely to be here to stay.

2 Comments

  1. Matz says:

    Hi, nice examples but they didn’t work on my Vista 64-bit. Finaly I found out that changing all ‘ to ” then it worked.

  2. Abs says:

    Perfect for filtering Remote Desktop / Terminal Server logon events.

    Thanks!!!

Leave a Reply