Memorise

Windows Event Viewer CUSTOM XML FILTER

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[EventData[Data and  (Data="swilkinson")]]</Select>
  </Query>
</QueryList>

Here are examples of simple custom filters in Windows Event Log:
Select all events in the Security Event Log where the account name involved (TargetUserName) is "AUser"
<QueryList><Query Id="0" Path="Security"><Select  Path="Security">*[EventData[Data[@Name="TargetUserName"] and  (Data="AUser")]]</Select></Query></QueryList>

Select all events in the Security Event Log where the string "AUser" is present as data anywhere in the EventData section
<QueryList><Query Id="0" Path="Security"><Select  Path="Security">*[EventData[Data and  (Data="AUser")]]</Select></Query></QueryList>

Select all events in the Security Event Log where the strings "AUser" or "JDoe" are present as data anywhere in the EventData section
<QueryList><Query Id="0" Path="Security"><Select  Path="Security">*[EventData[Data and (Data="AUser" or  Data="JDoe")]]</Select></Query></QueryList>

Select all events in the Security Event Log where the string "AUser" is present as data anywhere in the EventData section and the Event ID is "4471"
<QueryList><Query Id="0" Path="Security"><Select  Path="Security">*[System[(EventID="4771")]] and *[EventData[Data and  (Data="AUser")]]</Select></Query></QueryList>

Categorised as: Microsoft, Server OS


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.