HOW TO filter event log to show some events and not others
-
Tuesday, January 22, 2013 9:38 PM
I am trying to use XML to filter the security event log to show all user logon events, except I don't want to see "SYSTEM" which is the majority of entries. I don't know why there is a log of the system logging onto itself. That's obviously not what I'm looking for. Here's what I'm trying:
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[System[(EventID=4624)]]
and
*[EventData[Data[@Name='TargetUserName'] and (Data !='SYSTEM')]]
</Select>
</Query>
</QueryList>But this continues to give results that include <EventData> entries like
<Data Name="TargetUserName">SYSTEM</Data>
Data !='SYSTEM' was supposed to filter that out, but it's not. Is there some reason that it accepts this, but does not consider != to mean not equals???? Any clues? Is there another way to say not equals?
All Replies
-
Thursday, January 24, 2013 5:59 AMModerator For the question about XML query, I suggest you ask in Script forum.
- Marked As Answer by Cheers ZHANGMicrosoft Contingent Staff, Moderator Monday, January 28, 2013 2:05 AM
.png)
