none
Event Viewer Custom View

    Question

  • Hi, 

    One of my customer needs to filter event viewer security log for his branch office. Currently he is viewing all the logon/logoff events for entire organization. I referred below URL and created below XML query. I tried using 192.168.1.0 & 192.168.1. But it's not successful. Is it possible to get results for the entire subnet or network (eg. 192.168.1.0).

    <QueryList> 
               <Query Id="0"> 
                  <Select Path="Security"> 
                     *[EventData[Data[@Name='IpAddress'] and (Data='192.168.1.20')]] 
                   </Select> 
               </Query> 

          </QueryList>

    Thanks,
    Thisaru.
    Monday, June 17, 2013 3:37 AM

Answers

  • Hi,


    I was thinking about using the wildcards * in XML query as following but it did not work. So I think you cannot query for the entire 192.168.1.0 /24 subnet in XML .


    <QueryList>
      <Query Id="0" Path="Security">
        <Select Path="Security">

                     *[EventData[Data[@Name='IpAddress'] and (Data='192.168.1.*’)]]

                   </Select>
      </Query>
    </QueryList>


    I suggest you also ask in Script forum for XML query related question.
    http://social.technet.microsoft.com/Forums/en-US/ITCG/threads


    TechNet Subscriber Support |If you have any feedback on Technet forum, please contact tnmff@microsoft.com.

    Tuesday, June 18, 2013 6:52 AM

All replies

  • Hi,


    I was thinking about using the wildcards * in XML query as following but it did not work. So I think you cannot query for the entire 192.168.1.0 /24 subnet in XML .


    <QueryList>
      <Query Id="0" Path="Security">
        <Select Path="Security">

                     *[EventData[Data[@Name='IpAddress'] and (Data='192.168.1.*’)]]

                   </Select>
      </Query>
    </QueryList>


    I suggest you also ask in Script forum for XML query related question.
    http://social.technet.microsoft.com/Forums/en-US/ITCG/threads


    TechNet Subscriber Support |If you have any feedback on Technet forum, please contact tnmff@microsoft.com.

    Tuesday, June 18, 2013 6:52 AM
  • Hi, 

    One of my customer needs to filter event viewer security log only for his branch office. This is a additional domain controller. Currently he is viewing all the logon/logoff events for entire organization. I referred below URL and created below XML query. I tried using "192.168.1.0" & "192.168.1." to list all the computers related to that branch. But it's not successful. Is it possible to get results for the entire subnet or network (eg. 192.168.1.0). I selected "IpAddress" to filter the data, but if there is any better string for filtering data is available please be kind enough to advice me.

    <QueryList> 
               <Query Id="0"> 
                  <Select Path="Security"> 
                     *[EventData[Data[@Name='IpAddress'] and (Data='192.168.1.20')]] 
                   </Select> 
               </Query> 

          </QueryList>

    Thanks,
    Thisaru.
    Wednesday, June 19, 2013 4:22 PM