none
Xpath Query in Event Viewer RRS feed

  • Question

  • I am trying to figure out how to correctly do a query in event viewer using Xpath. The query I want will reply with those events in the Security log that match EventID 4624 AND has a external IP address.

    I have narrowed the query down to the following:

    <QueryList>
    <Query Id="0" Path="Security">
    <Select Path="Security">*[System[(EventID=4624)] and EventData[(Data[@Name="IpAddress"])]]</Select>
    </Query>
    </QueryList>


    but I cant seem to be able to query the data in the IpAddress field. I was thinking setting up a wildcard for the different IPs that could be there, but then I thought about using the <Supress> to remove any events that only show "-" for IPAddress, but I have been unable to find either

    The best documentation I have been able to find is at:
    http://msdn.microsoft.com/en-us/libr...31(VS.85).aspx but even that is pretty sparse.

    I am basing this off the following event for the full XML:

    - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    - <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>4624</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12544</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2008-06-09T10:39:30.473Z" />
    <EventRecordID>100140</EventRecordID>
    <Correlation />
    <Execution ProcessID="696" ThreadID="816" />
    <Channel>Security</Channel>
    <Computer>Dave-PC</Computer>
    <Security />
    </System>
    - <EventData>
    <Data Name="SubjectUserSid">S-1-5-18</Data>
    <Data Name="SubjectUserName">DAVE-PC$</Data>
    <Data Name="SubjectDomainName">WORKGROUP</Data>
    <Data Name="SubjectLogonId">0x3e7</Data>
    <Data Name="TargetUserSid">S-1-5-18</Data>
    <Data Name="TargetUserName">SYSTEM</Data>
    <Data Name="TargetDomainName">NT AUTHORITY</Data>
    <Data Name="TargetLogonId">0x3e7</Data>
    <Data Name="LogonType">5</Data>
    <Data Name="LogonProcessName">Advapi</Data>
    <Data Name="AuthenticationPackageName">Negotiate</Data>
    <Data Name="WorkstationName" />
    <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
    <Data Name="TransmittedServices">-</Data>
    <Data Name="LmPackageName">-</Data>
    <Data Name="KeyLength">0</Data>
    <Data Name="ProcessId">0x2ac</Data>
    <Data Name="ProcessName">C:\Windows\System32\services.ex e</Data>
    <Data Name="IpAddress">-</Data>
    <Data Name="IpPort">-</Data>
    </EventData>
    </Event>

    Note the "IpAdress" data would have an external IP that I would want to match through wildcard or if a record I wanted to exclude it would have the "-" shown above.

    Any help or point to a better resource would be greatly appreciated!

    Thanks,
    Dave
    Wednesday, June 11, 2008 2:18 PM

Answers

  • Dave

     

    I've now been able to test this in Vista's Event Viewer. The following query is valid and the Suppress element seems to be the method to use. Unfortunately this currently filters out all the results so I don't know what else to suggest.

     


    <QueryList>
      <Query Id="0" Path="Security">
        <Select Path="Security">*[System[(EventID=4624)] and EventData[(Data[@Name="IpAddress"])]]</Select>
        <Suppress Path="Security">*[EventData[Data[@Name="IpAddress"] = "-"  ]]</Suppress>
      </Query>
    </QueryList>

     

     

    Phil

    Friday, June 13, 2008 9:00 AM

All replies

  •  

    The following expression will select only events with an IP address that is not the '-' character:

     

    *[System[EventID=4624] and EventData[Data[@Name="IpAddress" and not( . = '-')]]]

     

    In this expression, the '.' character allows you to reference the context node within the predicate, which in this case is the Data element. Note that I've used not() for the equality test. In XPath != is generally not used because '=' actually means 'any' - an existential quantifier.

     

    I haven't been able to test this in the Windows Event environment but it works with your XML sample and a standard XPath processor.

     

    You ask about a better resource:

     

    There are a number of good free XPath tools out there worth trying that might help.

     

    SketchPath is my own product and works against an XML sample and allows you to test, save and reuse your XPath expressions. I don't know yet of any .NET API for the Windows Event Log that this tool can use, so you would need to copy in the XML from the Event Log Viewer. 

     

    For a brief online overview of XPath 1.0, the following is a good start:

     

     http://saxon.sourceforge.net/saxon6.5.5/expressions.html

     

    The one caveat, when using standards based resources, is that the Windows Event Log System has a number of significant differences to the XPath 1.0 language. These differences, which are detailed in the link you provide, should be understood also.

     

    Phil Fearon

    http://www.sketchpath.com

    Thursday, June 12, 2008 7:55 AM
  • Phil-

    I appreciate you taking the time to respond.  I tried your query in Vista's Event Viewer and it comes back with a invalid query error but no details.  I tried tweaking it a little bit but had no luck.  Thanks for the links, I have found quite a bit of information on XPath out there, but as it relates directly to how Event Viewer/Vista implements it, I can't really find anything but people talking about how great it is to support it.  As you have mentioned the significant differences in how they implemented it, seems to kill pretty basic queries.

    Any further help you can provide I would be very grateful for, and if I can provide you with anything else to help please let me know.

    Regards,
    Dave
    Thursday, June 12, 2008 11:34 AM
  • Dave

     

    I've now been able to test this in Vista's Event Viewer. The following query is valid and the Suppress element seems to be the method to use. Unfortunately this currently filters out all the results so I don't know what else to suggest.

     


    <QueryList>
      <Query Id="0" Path="Security">
        <Select Path="Security">*[System[(EventID=4624)] and EventData[(Data[@Name="IpAddress"])]]</Select>
        <Suppress Path="Security">*[EventData[Data[@Name="IpAddress"] = "-"  ]]</Suppress>
      </Query>
    </QueryList>

     

     

    Phil

    Friday, June 13, 2008 9:00 AM
  • Phil-

    Thanks again for your time!  Ok now that we got a working query I was able to make one minor change and it ran as I expected.

    The final query looks like this:

    <QueryList>
      <Query Id="0" Path="Security">
        <Select Path="Security">*[System[(EventID=4624)]]</Select>
        <Suppress Path="Security">*[EventData[Data[@Name="IpAddress"] = "-"  ]]</Suppress>
      </Query>
    </QueryList>

    As you can see I took off the second qualifier for the first statment, and when I ran that it only returned records that had a valid IP address in it, which was what I was looking for.

    Thanks so much for your help!

    Dave





    Friday, June 13, 2008 1:05 PM
  • EXCELLENT!  I was trying to figure out a way to query all 5140 events in the security log where the sharename is not \\*\IPC$ and using suppress worked!.  I would additionally like to add one more condition, that being I'd like to exclude a source address starting with '192.168.1'.  Any ideas?
    Tuesday, August 20, 2013 10:36 PM