使用 XPath-Filter 过滤 Windows 事件日志
我尝试过滤 Windows 事件日志以获取“真实”交互式登录/解锁事件。为此,我编写了以下 XPath 过滤条件:
*[System
[EventID=4624]
[TimeCreated[@SystemTime>'2022-02-09T15:38:26']]
]
[EventData
[Data
[@Name='LogonType'] and
(Data=2 or Data=7 or Data=10 or Data=11)
]
[Data
[@Name='WorkstationName'] and
(Data!='-')
]
]
但出于某种原因,最后一个条件没有过滤任何内容。我仍然看到 WorkstationName = '-' 的事件。即使我否定这个条件,它也会返回完全相同的事件。我需要如何将过滤器配置为具有基于 EventData 并结合 AND 逻辑的 2 个条件?
如果您想在 EventLog-Viewer 中测试它,请使用完整的 Filter-XML(跳过时间过滤器):
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
Event
[System
[EventID=4624]
]
[EventData
[Data
[@Name='LogonType'] and
(Data=2 or Data=7 or Data=10 or Data=11)
]
[Data
[@Name='WorkstationName'] and
(Data!='-')
]
]
</Select>
</Query>
</QueryList>
I try to filter a windows event log for "real" interactive logon/unlock-events. For this I have written the following XPath-filter condition:
*[System
[EventID=4624]
[TimeCreated[@SystemTime>'2022-02-09T15:38:26']]
]
[EventData
[Data
[@Name='LogonType'] and
(Data=2 or Data=7 or Data=10 or Data=11)
]
[Data
[@Name='WorkstationName'] and
(Data!='-')
]
]
but for any reason the last condition is not filtering anything. I still see event with WorkstationName = '-'. Even if I negate the condition it gives me the exact same events back. How do I need to configure the filter to have 2 conditions based on EventData combined with and AND-logic?
In case you want to test it in the EventLog-Viewer here the full Filter-XML (skipping the time-filter):
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
Event
[System
[EventID=4624]
]
[EventData
[Data
[@Name='LogonType'] and
(Data=2 or Data=7 or Data=10 or Data=11)
]
[Data
[@Name='WorkstationName'] and
(Data!='-')
]
]
</Select>
</Query>
</QueryList>
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
使用:
<抑制>[EventData[Data[@Name='WorkstationName']='-']]
您选择您感兴趣的事件(在上面的示例中为特定身份验证事件),然后抑制您不感兴趣的事件。抑制行的数量没有限制。唯一的问题是需要完全匹配,不能使用正则表达式或通配符。
Use:
<Select Path="Security">[System[EventID=4624] and [TimeCreated[@SystemTime>'2022-02-09T15:38:26']] and [EventData[Data [@Name='LogonType'] and (Data=2 or Data=7 or Data=10 or Data=11)]</Select>
<Suppress>[EventData[Data[@Name='WorkstationName']='-']]</Suppress>
You select events you are interested in (in the example above specific authentication events), then suppress those you are not interested in. No limit on the number of suppress lines. Only issue is exact match is expected, you cannot use regular expressions or wildcards.