none
Create a filter to view a users connections in the event viewer RRS feed

  • Question

  • I have this xml generated in the event viewer, I want to filter by the user field inside UserData and I want to see only the notes of a specific user.

    I have this xml generated in the event viewer, I want to filter by the user field inside UserData and I want to see only the notes of a specific user.


    <Event>

    ....

    <UserData>

    <EventXML xmlns="Event_NS"> <User>PC\User1</User> <SessionID>7</SessionID> <Address>LOCAL</Address> </EventXML> </UserData>

    </Event>

    Generated XML info

    Filter by the event id, that has been generated by the viewer and is going well. Then I add the UserData line. I do not give with the proper way of doing it following the little documentation that I have found. When I apply this filter, it does not give an error but no entry appears, nor does User1.

    <QueryList>
      <Query Id="0" Path="Microsoft-Windows-TerminalServices-LocalSessionManager/Operational">
        <Select Path="Microsoft-Windows-TerminalServices-LocalSessionManager/Operational">
    *[System[(EventID=24 or EventID=21)]]
    and
    *[Event[UserData[EventXML[@xmlns='Event_NS'] and (User='PC\User1')]]]
    </Select>
      </Query>
    </QueryList>



    • Edited by Nucleorion Tuesday, October 9, 2018 2:04 PM
    Tuesday, October 9, 2018 1:58 PM

All replies

  • Please refer to this blog for some ideas.

    Advanced XML filtering in the Windows Event Viewer

    https://blogs.technet.microsoft.com/askds/2011/09/26/advanced-xml-filtering-in-the-windows-event-viewer/

    Regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, October 10, 2018 2:48 AM
    Moderator
  • Yes, that's the page I used to write the code but it does not work for me. I do not see what I do wrong to enter inside the EventXML

    In the examples there is no case where there are other labels inside the label same

    EventXML xmlns="Event_NS"

    • Edited by Nucleorion Wednesday, October 10, 2018 6:46 AM
    Wednesday, October 10, 2018 6:42 AM
  • I know this thread is old but I figured it out! Hopefully it will help someone else out in the future.

    I was looking for a solution for this as well but was unable to find one. I eventually kept playing with the syntax until I got it right.

    <QueryList>
      <Query Id="0" Path="Microsoft-Windows-TerminalServices-LocalSessionManager/Operational">
        <Select Path="Microsoft-Windows-TerminalServices-LocalSessionManager/Operational">
    *[UserData[EventXML[@xmlns='Event_NS'][User='DOMAIN\USERNAME']]]
    </Select>
      </Query>
    </QueryList>

    Omit the "and" and you can continue to drill down. The "@" appears to be a delimiter for spaces when spaces are present in the path.


    Thursday, May 14, 2020 6:39 PM