|
|
Welcome to Vista Banter. You are currently viewing our boards as a guest which gives you limited access to view most discussions, articles and access our other FREE features. By joining our free community you will have access to ask questions and reply to others posts, upload your own photos and access many other special features. Registration is fast, simple and absolutely free so please, join our community today! If you have any problems with the registration process or your account login, please contact contact support. |
|
|||||||
| Performance and Maintainance of Windows Vista A forum for performance and maintenance tasks in Windows Vista. (microsoft.public.windows.vista.performance_maintainance) |
|
|
LinkBack | Thread Tools | Display Modes |
June 7th 08, 04:42 PM
posted to microsoft.public.windows.vista.performance_maintenance
|
|||
|
|||
XPath Query in Event Viewer
I am trying to do a query to bring back only records that have a IP address
from the event data: EventData Data Name="SubjectUserSid"S-1-5-18/Data Data Name="SubjectUserName"DAVE-PC$/Data Data Name="SubjectDomainName"WORKGROUP/Data Data Name="SubjectLogonId"0x3e7/Data Data Name="TargetUserSid"S-1-5-18/Data Data Name="TargetUserName"SYSTEM/Data Data Name="TargetDomainName"NT AUTHORITY/Data Data Name="TargetLogonId"0x3e7/Data Data Name="LogonType"5/Data Data Name="LogonProcessName"Advapi/Data Data Name="AuthenticationPackageName"Negotiate/Data Data Name="WorkstationName" / Data Name="LogonGuid"{00000000-0000-0000-0000-000000000000}/Data Data Name="TransmittedServices"-/Data Data Name="LmPackageName"-/Data Data Name="KeyLength"0/Data Data Name="ProcessId"0x2ac/Data Data Name="ProcessName"C:\Windows\System32\services.ex e/Data Data Name="IpAddress"192.168.11.4/Data Data Name="IpPort"3284/Data /EventData It might be different IP's so I need it to pickup a string is there. Any ideas? Thanks, Dave 
|
|
June 11th 08, 01:44 PM
posted to microsoft.public.windows.vista.performance_maintenance
|
|||
|
|||
|
XPath Query in Event Viewer
I have narrowed the query down to the following: QueryList Query Id="0" Path="Security" Select Path="Security"*[System[(EventID=4624)] and EventData[(Data[@Name="IpAddress"])]]/Select /Query /QueryList but I cant seem to be able to query the data in the IpAddress field. I was thinking setting up a wildcard for the different IPs that could be there, but then I thought about using the Supress to remove any events that only show "-" for IPAddress. The best documentation I have been able to find is at: http://msdn.microsoft.com/en-us/libr...31(VS.85).aspx but even that is pretty sparse. Anyone have any better idea on how to query for the additional information in that field for either a wildcard or a supress operation? Thanks, Dave
|
|
June 13th 08, 01:21 PM
posted to microsoft.public.windows.vista.performance_maintenance
|
|||
|
|||
|
XPath Query in Event Viewer
I was able to finally narrow a query down that worked with the help of Phil
Fearon over on the Technet Forums. The following query will filter for the event 4624, but supress any records without a IP address: QueryList Query Id="0" Path="Security" Select Path="Security"*[System[(EventID=4624)]]/Select Suppress Path="Security"*[EventData[Data[@Name="IpAddress"] = "-" ]]/Suppress /Query /QueryList Thanks Phil!
|
Linear Mode
