takraw's blog: Create Custom Views using XPath on WINDOWS Event LOGs

Wednesday, November 23, 2016

Create Custom Views using XPath on WINDOWS Event LOGs

Create Custom Views using XPath on WINDOWS Event LOGs

:example event for filter

*[System[(EventID=6278)]] and
*[EventData[Data[@Name='NASIPv4Address'] = 'xxx.xxx.xxx.xxx']] and
*[EventData[Data[@Name='NASIdentifier'] = 'FreeRadius-Profile']] and
*[EventData[Data[@Name='NASIdentifier'] = 'Captive-Portal-Profile']] and
*[EventData[Data[@Name='SubjectUserName'] ='user@domain.com']] and
*[EventData[Data[@Name='SubjectDomainName'] ='DomainName']] and

:Template XPath on Windows Event LOGs

<QueryList>
<Query Id="0" Path="Security">
    <Select Path="Security"> <----- ( Application,Security,Setup,System, Forward Event )
        *event for filter
        *event for filter
        *event for filter
    </Select>
</Query>
</QueryList>

:filter by domain and LOGON Success/Fail

<QueryList>
<Query Id="0" Path="Security">
    <Select Path="Security">

        *[System[(EventID='6278') and (EventID='6273')]] and
        *[EventData[Data[@Name='SubjectDomainName'] ='DomainName']]

    </Select>
</Query>
</QueryList>

:filter by domain and username
<QueryList>
<Query Id="0" Path="Security">
    <Select Path="Security">
        *[EventData[Data[@Name='SubjectUserName'] ='user@domain.com']] and
        *[EventData[Data[@Name='SubjectDomainName'] ='DomainName']
    </Select>
</Query>
</QueryList>

takraw's blog

Wednesday, November 23, 2016

Create Custom Views using XPath on WINDOWS Event LOGs

No comments:

Post a Comment

ALCATEL 6900

Report Abuse