Using Xpath queries to filter events in Windows Server 2008

By | April 8, 2009

If you’ve spent some time with Vista or Windows Server 2008 you’ll have noticed that there are some fundamental changes to the event viewer.  One of the changes is in the way in which event logs can be filtered.  In addition to the point-and-click filter selection you can now also enter an xpath query by accessing the XML tab (see screenshots below).  This gives you the ability to filter using a much wider range of criteria.  Basically, you can search using anything that is presented in the list of XML values.

event_filtering1.JPG

event_filtering2.JPG

The xpath queries take a bit of getting used to and as yet there don’t appear to be many publicly available examples.  Here are a few to get you started. This query searches the Security Event log for 4624 events that include a TargetUsername of “User1” and corresponding to a logon type of “2” (interactive). 

<QueryList>
  <Query Id=”0″ Path=”Security”>
    <Select Path=”Security”>*[System[Provider[@Name=’Microsoft-Windows-Security-Auditing’] and (EventID=4624)] and EventData[Data[@Name=’TargetUserName’]=’User1′] and EventData[Data[@Name=’LogonType’]=’2′]]</Select>
  </Query>
</QueryList>

The query below also looks for 4624 events, but this time for those that include a WorkstationName of “Workstation1” and a logon type of “3” (network). 

<QueryList>
  <Query Id=”0″ Path=”Security”>
    <Select Path=”Security”>*[System[Provider[@Name=’Microsoft-Windows-Security-Auditing’] and (EventID=4624)] and EventData[Data[@Name=’WorkstationName’]=’Workstation1′] and EventData[Data[@Name=’LogonType’]=’3′]]</Select>
  </Query>
</QueryList>

Even though Xpath can appear a little daunting at first it is worth spending a bit of time with as it’s potentially quite powerful.  As with Powershell it is something that is likely to be here to stay.

3 thoughts on “Using Xpath queries to filter events in Windows Server 2008

  1. Matz

    Hi, nice examples but they didn’t work on my Vista 64-bit. Finaly I found out that changing all ‘ to ” then it worked.

    Reply
  2. Abs

    Perfect for filtering Remote Desktop / Terminal Server logon events.

    Thanks!!!

    Reply
  3. Abs

    Perfect for filtering Remote Desktop / Terminal Server logon events.

    Thanks!!!

    Reply

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.