HomeHowTo › XML Filtering in Windows Event Viewer

XML Filtering in Windows Event Viewer

admin December 23, 2014 HowTo, Windows Leave a comment (2)

The basic filtering options in Windows Event Viewer are limited as it is not possible to use information from the log details as a filter. This however can be done with an XML filter. This is not an in-depth tutorial, just some quick examples to get started.

 

1. A Basic Query

The following query will result in all log entries from the Security section that have an IpAddress field in their details, which contains the specified IP address:

This code can be used alternatively:

 

2. Combining Multiple Conditions

This query is like the one from slotspie 1., but it’ll look for two IP addresses:

This query will result in all log entries from the Security section that have an event ID of 4625 (=> an account failed to log on) and are not older than 30 days (=> 2592000000 ms), plus the condition from 1.:

 

3. Exclusions (Not Equal Operator)

This query will result in all failed logons from the past 30 days that don’t involve the usernames user, temp and administrator:

 

|

2 Comments.[ Leave a comment ]

  1. Andrew May 20, 2015 at 6:34 pm

    Thank’s! It’s very usefull!

  2. Anonymous May 26, 2017 at 11:20 am

    Thank’s very much.
    I got the xml is special. |^^|

Leave a Comment

Captcha Captcha Reload