Microsoft Windows Vista Community Forums - Vistaheads
Recommended Download



Welcome to the Microsoft Windows Vista Community Forums - Vistaheads, YOUR Largest Resource for Windows Vista related information.

You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so , join our community today!

If you have any problems with the registration process or your account login, please contact us.

Driver Scanner

XPath Query in Event Viewer

microsoft.public.windows.vista.performance maintenance






Speedup My PC
Reply
  #1 (permalink)  
Old 06-07-2008
Dave Lawlor
 

Posts: n/a
XPath Query in Event Viewer
I am trying to do a query to bring back only records that have a IP address
from the event data:

EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DAVE-PC$</Data>
<Data Name="SubjectDomainName">WORKGROUP</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TargetUserSid">S-1-5-18</Data>
<Data Name="TargetUserName">SYSTEM</Data>
<Data Name="TargetDomainName">NT AUTHORITY</Data>
<Data Name="TargetLogonId">0x3e7</Data>
<Data Name="LogonType">5</Data>
<Data Name="LogonProcessName">Advapi</Data>
<Data Name="AuthenticationPackageName">Negotiate</Data>
<Data Name="WorkstationName" />
<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x2ac</Data>
<Data Name="ProcessName">C:\Windows\System32\services.ex e</Data>
<Data Name="IpAddress">192.168.11.4</Data>
<Data Name="IpPort">3284</Data>
</EventData>


It might be different IP's so I need it to pickup a string is there. Any
ideas?

Thanks,
Dave


Reply With Quote
Sponsored Links
  #2 (permalink)  
Old 06-11-2008
Dave L
 

Posts: n/a
Re: XPath Query in Event Viewer

I have narrowed the query down to the following:

<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[(EventID=4624)] and
EventData[(Data[@Name="IpAddress"])]]</Select>
</Query>
</QueryList>


but I cant seem to be able to query the data in the IpAddress field. I was
thinking setting up a wildcard for the different IPs that could be there,
but then I thought about using the <Supress> to remove any events that only
show "-" for IPAddress.

The best documentation I have been able to find is at:
http://msdn.microsoft.com/en-us/libr...31(VS.85).aspx but even that is
pretty sparse.

Anyone have any better idea on how to query for the additional information
in that field for either a wildcard or a supress operation?

Thanks,
Dave

Reply With Quote
  #3 (permalink)  
Old 06-13-2008
Dave Lawlor
 

Posts: n/a
RE: XPath Query in Event Viewer
I was able to finally narrow a query down that worked with the help of Phil
Fearon over on the Technet Forums.

The following query will filter for the event 4624, but supress any records
without a IP address:

<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[(EventID=4624)]]</Select>
<Suppress Path="Security">*[EventData[Data[@Name="IpAddress"] = "-"
]]</Suppress>
</Query>
</QueryList>

Thanks Phil!
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Event Viewer HELP!! macfin microsoft.public.windows.vista.general 3 05-27-2008 04:58
Article ID: 934640 In Windows, Event Viewer incorrectly displays IPv6 addresses in event descriptions KBArticles English 0 10-22-2007 20:00
Event Viewer peter microsoft.public.windows.vista.general 11 06-09-2007 20:01
BUG: a lot of errors "Event ID 6003 winlogon" in Event Viewer =?Utf-8?B?QmlsbEQ=?= microsoft.public.windows.vista.general 1 03-28-2007 16:39
Event viewer =?Utf-8?B?SXJ2?= microsoft.public.windows.vista.performance maintenance 0 03-04-2007 06:18




All times are GMT +1. The time now is 12:09.




Driver Scanner - Free Scan Now

Vistaheads.com is part of the Heads Network. See also XPHeads.com , Win7Heads.com and Win8Heads.com.


Design by Vjacheslav Trushkin for phpBBStyles.com.
Powered by vBulletin® Version 3.6.7
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.6.0 RC 2

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120