Reputation: 330
Using XPath to select events that do not match other criteria in Windows event logs
I am trying to develop a Xpath 1.0 compatible filter abiding by the limitations as noted in the answer to Using XPath starts-with or contains functions to search Windows event logs that will match events with event id of 4771 as long as they do not have a certain computer name. Here is sample xml for a 4771 event I do not want to match/display in event viewer.
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{94849225-5448-4994-A5BA-1E3B0928C30D}" />
<EventID>4771</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14339</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2017-03-22T20:13:28.105262600Z" />
<EventRecordID>4368371459</EventRecordID>
<Correlation />
<Execution ProcessID="564" ThreadID="1340" />
<Channel>Security</Channel>
<Computer>sample.computer.net</Computer>
<Security />
</System>
<EventData>
<Data Name="TargetUserName">abc$</Data>
<Data Name="TargetSid">S-1-5-21-376469911-3458163162-136990061-477177</Data>
<Data Name="ServiceName">krbtgt/computer.net</Data>
<Data Name="TicketOptions">0x40810010</Data>
<Data Name="Status">0x18</Data>
<Data Name="PreAuthType">2</Data>
<Data Name="IpAddress">::ffff:10.0.0.1</Data>
<Data Name="IpPort">56815</Data>
<Data Name="CertIssuerName" />
<Data Name="CertSerialNumber" />
<Data Name="CertThumbprint" />
</EventData>
</Event>
And here is the unsuccessful filter I have tried. The event is displayed so it is not being properly filtered out, i.e. the targetusername exclusion is not being handled properly.
<QueryList>
<Query Id="0" Path="ForwardedEvents">
<Select Path="ForwardedEvents">*[System[(EventID=4771)]] and *[EventData[Data[@Name='TargetUserName'] and (Data!='abc$')]]</Select>
</Query>
</QueryList>
It appears the (Data!='abc$') portion is being applied to all the Data elements and as long as there is one Data element that does not match the specified value the entire event matches. The intent is that if there is a combination of Data element with a TargetUserName attribute and the value of that element is abc$ then the entire event should not match.
Upvotes: 2
Views: 3319
Answers (2)
Reputation: 71
you've correctly understood
*[EventData[Data[@Name='TargetUserName'] and (Data!='abc$')]]
as matching any data element that isn't 'abc$'. What you want is to only consider TargetUserName elements.
*[EventData[Data[@Name='TargetUserName']!='abc$']]
Upvotes: 2
Reputation: 89315
In normal XPath 1.0 environment we can do what you described this way :
*[System/EventID=4771 and EventData/Data[@Name='TargetUserName' and .!='abc$']]
Apparently Windows Event Log's XPath doesn't support any of the following, which left us in a dead-end : ., self::, text(), node(). The closest we can get using XPath might be by assuming that 'TargetUserName', if exists in a given EventData, always appear as the first Data child so we can do as follows :
*[System/EventID=4771 and EventData[Data[1]/@Name='TargetUserName' and Data[1]!='abc$']]
Upvotes: 1
Related Questions
- Using XPath starts-with or contains functions to search Windows event logs
- Filtering events in Event Viewer using a regex
- How can I query the event log for a specific source using xpath?
- Trying to understand XPATH Filtering for Windows Event Logs (XML)
- Wevtutil\Event Viewer: Getting list of events with different event ids using XPath Filter
- Windows Event Log, can you xpath filter for string NOT equal?
- And/Or XPath query to select some Event Log records
- Windows Event Log XML Query gives unintended results
- Xpath query for event filtering
- How can i filter Windows Events retrieve with an XPATH where a certain value is a substring of the value?