EventLogQuery:按属性和值搜索
我尝试在 EventLogQuery 中使用有点复杂的 XPath 语法,但没有成功。我已经浏览了我自己找到的所有 Microsoft 文档以及这里的其他帖子。我主要浏览了这两篇文章:
EventLogQuery:如何形成查询字符串? EventLogQuery 时间格式是否符合预期?
以下是查询,第一个查询获取所有登录事件与数据节点内的 LogonType 属性。这是多余的,因为所有登录事件都会有这个节点,所以我打算进一步缩小查询范围,仅输入 11 进行测试:
// This works fine
*[System/EventID=4624 and EventData/Data[@Name='LogonType']]
// This is considered invalid
*[System/EventID=4624 and EventData/Data[@Name='LogonType' and text()='11']]
这个查询有什么问题,我该如何修复它?我不想检索每个登录事件并再次过滤(即循环返回并仅对具有 11 的事件进行操作),因为这似乎效率低下。我将查询当前包含数百万个事件的域控制器。
I have attempted using a somewhat complex XPath syntax in the EventLogQuery to no avail. I have looked through all Microsoft docs I found by myself and through other posts here. I have primarily looked through these two posts:
EventLogQuery: How to form query string?
EventLogQuery time format expected?
Here are the queries, first one grabs all logon events with the LogonType attribute within a data node. This is redundant as all logon events will have this node, so I was going to further narrow the query to only type 11 for testing:
// This works fine
*[System/EventID=4624 and EventData/Data[@Name='LogonType']]
// This is considered invalid
*[System/EventID=4624 and EventData/Data[@Name='LogonType' and text()='11']]
What is wrong with this query and how could I fix it? I would prefer not to have to retrieve every single logon event and then filter again (i.e. loop through returns and only act on those with an 11) as this seems inefficient. I will be querying against domain controllers with millions of events currently on them.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
对于那些仍在搜索的人,我可能已经找到了问题所在。 Microsoft 没有完全实现 EventLogQuery 的 XPath 1.0。他们实现了一半,并将其扭曲成他们认为对查询事件“有用”的东西。 text() 不是一个可用的函数。为了实现我想要的目标,您必须使用非常长、丑陋的查询,如下所示:
*[System/EventID=4624 and (EventData/Data[@Name='LogonType']='2'或 EventData/Data[@Name='LogonType']='3' 或 EventData/Data[@Name='LogonType']='11')]For those still searching, I have likely found what the issue is. Microsoft did not fully implement XPath 1.0 for EventLogQuery. They half implemented it and twisted it into what they saw "useful" for querying events. text() is not a useable function. In order to achieve what I was trying, you have to use extremely long, ugly queries such as the following:
*[System/EventID=4624 and (EventData/Data[@Name='LogonType']='2' or EventData/Data[@Name='LogonType']='3' or EventData/Data[@Name='LogonType']='11')]