none
HOW TO filter event log to show some events and not others

    Question

  • I am trying to use XML to filter the security event log to show all user logon events, except I don't want to see "SYSTEM" which is the majority of entries. I don't know why there is a log of the system logging onto itself. That's obviously not what I'm looking for. Here's what I'm trying:

    <QueryList>
      <Query Id="0" Path="Security">
        <Select Path="Security">
             *[System[(EventID=4624)]]
            and
            *[EventData[Data[@Name='TargetUserName'] and (Data !='SYSTEM')]]
        </Select>
      </Query>
    </QueryList>

    But this continues to give results that include <EventData> entries like

    <Data Name="TargetUserName">SYSTEM</Data>

    Data !='SYSTEM' was supposed to filter that out, but it's not. Is there some reason that it accepts this, but does not consider != to mean not equals???? Any clues? Is there another way to say not equals?

    Tuesday, January 22, 2013 9:38 PM

Answers