XML Filtering in Windows Event Viewer

Home › HowTo › XML Filtering in Windows Event Viewer

XML Filtering in Windows Event Viewer

admin December 23, 2014 HowTo, Windows Leave a comment (2)

The basic filtering options in Windows Event Viewer are limited as it is not possible to use information from the log details as a filter. This however can be done with an XML filter. This is not an in-depth tutorial, just some quick examples to get started.

1. A Basic Query

The following query will result in all log entries from the Security section that have an IpAddress field in their details, which contains the specified IP address:

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
      *[EventData[Data[@Name='IpAddress'] and (Data='192.168.0.1')]]
    </Select>
  </Query>
</QueryList>

*[EventData[Data[@Name='IpAddress'] and (Data='192.168.0.1')]]

</Select>

</Query>

</QueryList>

This code can be used alternatively:

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
      *[EventData[Data[@Name='IpAddress'] = '192.168.0.1']]
    </Select>
  </Query>
</QueryList>

*[EventData[Data[@Name='IpAddress'] = '192.168.0.1']]

</Select>

</Query>

</QueryList>

2. Combining Multiple Conditions

This query is like the one from slotspie 1., but it’ll look for two IP addresses:

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
      *[EventData[Data[@Name='IpAddress'] and (Data='192.168.0.1' or Data='192.168.0.2')]]
    </Select>
  </Query>
</QueryList>

*[EventData[Data[@Name='IpAddress'] and (Data='192.168.0.1' or Data='192.168.0.2')]]

</Select>

</Query>

</QueryList>

This query will result in all log entries from the Security section that have an event ID of 4625 (=> an account failed to log on) and are not older than 30 days (=> 2592000000 ms), plus the condition from 1.:

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
      *[System[(EventID=4625) and TimeCreated[timediff(@SystemTime) <= 2592000000]]] and
      *[EventData[Data[@Name='IpAddress'] and (Data='192.168.0.1')]]
    </Select>
  </Query>
</QueryList>

*[System[(EventID=4625) and TimeCreated[timediff(@SystemTime) <= 2592000000]]] and

*[EventData[Data[@Name='IpAddress'] and (Data='192.168.0.1')]]

</Select>

</Query>

</QueryList>

3. Exclusions (Not Equal Operator)

This query will result in all failed logons from the past 30 days that don’t involve the usernames user, temp and administrator:

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
      *[System[(EventID=4625) and TimeCreated[timediff(@SystemTime) <= 2592000000]]] and
      *[EventData[Data[@Name='TargetUserName'] != 'user']] and
      *[EventData[Data[@Name='TargetUserName'] != 'temp']] and
      *[EventData[Data[@Name='TargetUserName'] != 'administrator']]
    </Select>
  </Query>
</QueryList>

*[System[(EventID=4625) and TimeCreated[timediff(@SystemTime) <= 2592000000]]] and

*[EventData[Data[@Name='TargetUserName'] != 'user']] and

*[EventData[Data[@Name='TargetUserName'] != 'temp']] and

*[EventData[Data[@Name='TargetUserName'] != 'administrator']]

</Select>

</Query>

</QueryList>

« Previous | Next »

2 Comments.[ Leave a comment ]

Andrew May 20, 2015 at 6:34 pm

Thank’s! It’s very usefull!
Anonymous May 26, 2017 at 11:20 am

Thank’s very much.
I got the xml is special. |^^|

Acidx's Blog

HowTos & Reviews