I want to filter the Windows event log for events that aren't generated by the KCC or from two IP addresses. This works for the KCC filter:
<QueryList>
<Query Id="0" Path="ADAM (ADLDS-HHT)">
<Select Path="ADAM (ADLDS-HHT)">
*[System[(EventID=1644)]]
</Select>
<Suppress Path="ADAM (ADLDS-HHT)">
*[EventData[Data='KCC']]
</Suppress>
</Query>
</QueryList>
so now I need to add the IP addresses. They're just stored in the events as Data elements:
<Event xmlns=";>
<System>
<EventID Qualifiers="16384">1644</EventID>
[other values remove for brevity]
</System>
<EventData>
<Data>192.168.0.1:64790</Data>
<Data>0</Data>
<Data>0</Data>
[other values remove for brevity]
</EventData>
</Event>
I've tried this for the Suppress part:
<Suppress Path="ADAM (ADLDS-HHT)">
*[EventData[Data='KCC' OR Data='192.168.1.2' OR Data='10.1.2.3']]
</Suppress>
and this:
<Suppress Path="ADAM (ADLDS-HHT)">
*[EventData[Data='KCC'] OR [Data='192.168.1.2'] OR [Data='10.1.2.3']]
</Suppress>
but neither worked. I've searched online but nearly all examples have attribute names like this: *[EventData[Data[@Name='TargetUserName'] but mine is just Data values
I want to filter the Windows event log for events that aren't generated by the KCC or from two IP addresses. This works for the KCC filter:
<QueryList>
<Query Id="0" Path="ADAM (ADLDS-HHT)">
<Select Path="ADAM (ADLDS-HHT)">
*[System[(EventID=1644)]]
</Select>
<Suppress Path="ADAM (ADLDS-HHT)">
*[EventData[Data='KCC']]
</Suppress>
</Query>
</QueryList>
so now I need to add the IP addresses. They're just stored in the events as Data elements:
<Event xmlns="http://schemas.microsoft/win/2004/08/events/event">
<System>
<EventID Qualifiers="16384">1644</EventID>
[other values remove for brevity]
</System>
<EventData>
<Data>192.168.0.1:64790</Data>
<Data>0</Data>
<Data>0</Data>
[other values remove for brevity]
</EventData>
</Event>
I've tried this for the Suppress part:
<Suppress Path="ADAM (ADLDS-HHT)">
*[EventData[Data='KCC' OR Data='192.168.1.2' OR Data='10.1.2.3']]
</Suppress>
and this:
<Suppress Path="ADAM (ADLDS-HHT)">
*[EventData[Data='KCC'] OR [Data='192.168.1.2'] OR [Data='10.1.2.3']]
</Suppress>
but neither worked. I've searched online but nearly all examples have attribute names like this: *[EventData[Data[@Name='TargetUserName'] but mine is just Data values
1 Answer
Reset to default 0NB the XPath language is case-sensitive; the boolean operator you want is or, not OR.
Also, LMC is correct to point out that you need to ignore the port number in the <Data> elements. I wouldn't recommend using the starts-with function though, because you don't want to exclude 10.1.2.30 when you exclude 10.1.2.3. In my example I use the substring-before function to trim off the port specification.
*[
EventData[
Data='KCC' or
substring-before(Data, ':') = '192.168.1.2' or
substring-before(Data, ':') = '10.1.2.3'
]
]
I don't run Windows and I'm not able to test this properly, but that's what I guess your problem is.
starts-withfunction since value might contain port info:or starts-with(Data, '172.22.202.200'). Can't test myself since don't have windows OS. – LMC Commented Mar 6 at 16:44