The basic filtering options in Windows Event Viewer are limited as it is not possible to use information from the log details as a filter. This however can be done with an XML filter. This is not an in-depth tutorial, just some quick examples to get started.
1. A Basic Query
The following query will result in all log entries from the Security section that have an IpAddress field in their details, which contains the specified IP address:
1 2 3 4 5 6 7 |
<QueryList> <Query Id="0" Path="Security"> <Select Path="Security"> *[EventData[Data[@Name='IpAddress'] and (Data='192.168.0.1')]] </Select> </Query> </QueryList> |
This code can be used alternatively:
1 2 3 4 5 6 7 |
<QueryList> <Query Id="0" Path="Security"> <Select Path="Security"> *[EventData[Data[@Name='IpAddress'] = '192.168.0.1']] </Select> </Query> </QueryList> |
2. Combining Multiple Conditions
This query is like the one from slotspie 1., but it’ll look for two IP addresses:
1 2 3 4 5 6 7 |
<QueryList> <Query Id="0" Path="Security"> <Select Path="Security"> *[EventData[Data[@Name='IpAddress'] and (Data='192.168.0.1' or Data='192.168.0.2')]] </Select> </Query> </QueryList> |
This query will result in all log entries from the Security section that have an event ID of 4625 (=> an account failed to log on) and are not older than 30 days (=> 2592000000 ms), plus the condition from 1.:
1 2 3 4 5 6 7 8 |
<QueryList> <Query Id="0" Path="Security"> <Select Path="Security"> *[System[(EventID=4625) and TimeCreated[timediff(@SystemTime) <= 2592000000]]] and *[EventData[Data[@Name='IpAddress'] and (Data='192.168.0.1')]] </Select> </Query> </QueryList> |
3. Exclusions (Not Equal Operator)
This query will result in all failed logons from the past 30 days that don’t involve the usernames user, temp and administrator:
1 2 3 4 5 6 7 8 9 10 |
<QueryList> <Query Id="0" Path="Security"> <Select Path="Security"> *[System[(EventID=4625) and TimeCreated[timediff(@SystemTime) <= 2592000000]]] and *[EventData[Data[@Name='TargetUserName'] != 'user']] and *[EventData[Data[@Name='TargetUserName'] != 'temp']] and *[EventData[Data[@Name='TargetUserName'] != 'administrator']] </Select> </Query> </QueryList> |
Thank’s! It’s very usefull!
Thank’s very much.
I got the xml is special. |^^|