locked
WEF event suppressing from DNS log RRS feed

  • Question

  • Hello,

    Does anybody have an idea on how to suppress Local Service / System / Netw. service events in WEF using Xpath queries? 

    Example event looks like this:

    - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    - <System>
      <Provider Name="Microsoft-Windows-DNS-Client" Guid="{1C95126E-7EEA-49A9-A3FE-A378B03DDB4D}" /> 
      <EventID>3008</EventID> 
      <Version>0</Version> 
      <Level>4</Level> 
      <Task>0</Task> 
      <Opcode>0</Opcode> 
      <Keywords>0x8000000000000000</Keywords> 
      <TimeCreated SystemTime="2019-04-03T11:15:22.464647000Z" /> 
      <EventRecordID>7775625</EventRecordID> 
      <Correlation /> 
      <Execution ProcessID="1096" ThreadID="4420" /> 
      <Channel>Microsoft-Windows-DNS-Client/Operational</Channel> 
      <Computer>PCName</Computer> 
      <Security UserID="S-1-5-19" /> 
      </System>
    - <EventData>
      <Data Name="QueryName">PCName</Data> 
      <Data Name="QueryType">28</Data> 
      <Data Name="QueryOptions">1208115200</Data> 
      <Data Name="QueryStatus">0</Data> 
      <Data Name="QueryResults">::ffff:10.12.14.117;</Data> 
      </EventData>
    - <RenderingInfo Culture="en-US">
      <Message>DNS query is completed for the name PCName, type 28, query options 1208115200 with status 0 Results ::ffff:10.12.14.117;</Message> 
      <Level>Information</Level> 
      <Task /> 
      <Opcode>Info</Opcode> 
      <Channel>Microsoft-Windows-DNS Client Events/Operational</Channel> 
      <Provider>Microsoft-Windows-DNS Client Events</Provider> 
      <Keywords /> 
      </RenderingInfo>
      </Event>

    At this point, on WEC server I want to drop all events with such "Security UserID", but seems like my filter does not work:

    <QueryList>
      <Query Id="0" Path="Microsoft-Windows-DNS-Client/Operational">
        <!-- 3008: DNS Client events Query Completed -->
        <Select Path="Microsoft-Windows-DNS-Client/Operational">*[System[(EventID=3008)]]</Select>
        <!-- Suppresses local machine name resolution events -->
        <Suppress Path="Microsoft-Windows-DNS-Client/Operational">*[EventData[Data[@Name="QueryOptions"]="140737488355328"]]</Suppress>
        <!-- Suppresses empty name resolution events -->
        <Suppress Path="Microsoft-Windows-DNS-Client/Operational">*[EventData[Data[@Name="QueryResults"]=""]]</Suppress>
        <!-- Skip queries to localhost -->
        <Suppress Path="Microsoft-Windows-DNS-Client/Operational">*[EventData[Data[@Name="QueryName"]="0.0.0.0"]]</Suppress>
        <!-- Skip queries to localhost -->
        <Suppress Path="Microsoft-Windows-DNS-Client/Operational">*[EventData[Data[@Name="QueryName"]="localhost"]]</Suppress>
    
            <Suppress Path="Microsoft-Windows-DNS-Client/Operational">*[System[(Security UserID="S-1-5-18")]]</Suppress>
    	<Suppress Path="Microsoft-Windows-DNS-Client/Operational">*[System[(Security UserID="S-1-5-19")]]</Suppress>
    	<Suppress Path="Microsoft-Windows-DNS-Client/Operational">*[System[(Security UserID="S-1-5-20")]]</Suppress>
     </Query>
    </QueryList>

    How should it be formatted to apply properly? 

    Thanks for any hints :)


    Thursday, April 4, 2019 9:55 AM

Answers

  • ok, if anybody needs it in future, here's a proper, working filter:

    	<Suppress Path="Microsoft-Windows-DNS-Client/Operational">*[System[Security[@UserID="S-1-5-18"]]]</Suppress>
    	<Suppress Path="Microsoft-Windows-DNS-Client/Operational">*[System[Security[@UserID="S-1-5-19"]]]</Suppress>
    	<Suppress Path="Microsoft-Windows-DNS-Client/Operational">*[System[Security[@UserID="S-1-5-20"]]]</Suppress>
    • Marked as answer by emesbe Tuesday, April 9, 2019 10:58 AM
    Tuesday, April 9, 2019 10:58 AM

All replies

  • Like this?

     … >*[System/Security[UserID="S-1-5-18")]]</Suppress>


    \_(ツ)_/

    • Marked as answer by emesbe Thursday, April 4, 2019 11:39 AM
    • Unmarked as answer by emesbe Thursday, April 4, 2019 11:40 AM
    Thursday, April 4, 2019 10:49 AM
  • Nope, it also does not work - events stopped to flow when I applied it in a subscription. 

    ...
    
    
    																
    	<Suppress Path="Microsoft-Windows-DNS-Client/Operational">*[System/Security[UserID="S-1-5-18")]]</Suppress>
    	<Suppress Path="Microsoft-Windows-DNS-Client/Operational">*[System/Security[UserID="S-1-5-19")]]</Suppress>
    	<Suppress Path="Microsoft-Windows-DNS-Client/Operational">*[System/Security[UserID="S-1-5-20")]]</Suppress>
      </Query>


    • Edited by emesbe Thursday, April 4, 2019 11:26 AM
    Thursday, April 4, 2019 11:13 AM
  • ok, if anybody needs it in future, here's a proper, working filter:

    	<Suppress Path="Microsoft-Windows-DNS-Client/Operational">*[System[Security[@UserID="S-1-5-18"]]]</Suppress>
    	<Suppress Path="Microsoft-Windows-DNS-Client/Operational">*[System[Security[@UserID="S-1-5-19"]]]</Suppress>
    	<Suppress Path="Microsoft-Windows-DNS-Client/Operational">*[System[Security[@UserID="S-1-5-20"]]]</Suppress>
    • Marked as answer by emesbe Tuesday, April 9, 2019 10:58 AM
    Tuesday, April 9, 2019 10:58 AM