Xpath query for event filtering

Question

I have the current filtering logic to define events that I want to source

<QueryList>
      <Query Id="0" Path="Security">
        <Select Path="Security">
    *[System[(EventID=4624 or EventID=4625)]]
   and
    *[EventData[Data[@Name='TargetUserName'] != 'ANONYMOUS LOGON']]
   and
    *[substring([EventData[Data[@Name='TargetUserName']]],2,1) != '-']

   </Select>
      </Query>
   </QueryList>

But THe part "*[substring([EventData[Data[@Name='TargetUserName']]],2,1) != '-']" is leading to error as it is not being parsed.

I want to discard certain target usernames which start with 'L-' and 'D-' and 'C:/'.

Please suggest proper solutions

Answer 1

I found that if you change the query to pull application or system logs that you do not get the same error. There seems to be a bug with the Security logs. Another post suggests that reducing the character length to under 150 seems to resolve the issue.

https://social.technet.microsoft.com/Forums/windowsserver/en-US/cda721cc-6479-4b04-9fdd-9ccbec86b159/possible-bug-collecting-security-events-using-event-subscriptions-and-windows-2008-r2?forum=winserverManagement

Not sure if this solves your problem as you may need more than 150 characters.

Answer 2

I am guessing, based on how you wrote your third XPath expression, that you have a structure like this:

...
<Any-Element>
    <EventData>L-username
        <Data Name='TargetUserName'>xxx</Data>
    </EventData>
</Any-Element>
...

Then you could use this expression to obtain what you want:

*[substring(EventData[Data[@Name='TargetUserName']], 2, 1) = '-']

But I suspect this is not the case, since your second expression compares the contents of the <Data> element (and not the contents of <EventData>, and you didn't mention it was failing. So probably the xxxstring above is where your username is. If that is the case, you should compare the contents of Data, and not EventData:

*[EventData[substring(Data[@Name='TargetUserName'], 2, 1) = '-']]