madmin
asked on
XML filtering Windows Event Viewer
Hello,
I am having trouble getting my custom Event Viewer XML filter to work in Windows Server 2008 R2.
What I really want is this, but it does not suppress:
But even trying to debug with this does not work, returning no results:
I've tried several variations based on online tutorials with no luck. Any help would be much appreciated!
I am having trouble getting my custom Event Viewer XML filter to work in Windows Server 2008 R2.
What I really want is this, but it does not suppress:
<QueryList>
<Query Id="0" Path="Microsoft-Windows-Windows Firewall With Advanced Security/Firewall">
<Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/Firewall">
*
</Select>
<Suppress Path="Microsoft-Windows-Windows Firewall With Advanced Security/Firewall">
*[EventData[(RuleName='HP Networked Printer Installer')]]
</Suppress>
</Query>
</QueryList>
But even trying to debug with this does not work, returning no results:
<QueryList>
<Query Id="0" Path="Microsoft-Windows-Windows Firewall With Advanced Security/Firewall">
<Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/Firewall">
*[EventData[(RuleName='HP Networked Printer Installer')]]
</Select>
</Query>
</QueryList>
I've tried several variations based on online tutorials with no luck. Any help would be much appreciated!
ASKER
Thank you for the suggestion. I got this syntax from the defaults filter of this view:
When I used my select query (the second script from my OP) with slashes instead of dashes, I received an error message stating "The specified channel could not be found." Same error with the other variations you suggested. When I used my select query as shown above (the second script from my OP) , I receive no errors - just no results.
When I used my select query (the second script from my OP) with slashes instead of dashes, I received an error message stating "The specified channel could not be found." Same error with the other variations you suggested. When I used my select query as shown above (the second script from my OP) , I receive no errors - just no results.
Since you are selecting "*" (ie everything) try removing the /Firewall.
ASKER
OK, I have tried to reproduce your queries on my machine.
The first one. I can't surpress the event since I don't have one.
The second query confirms that I don't have one.
One is effectively selecting Event nodes.
Are you certain that you have an EventData (under Event) which has an element RuleName equal to something? All of my EventData elements only have Data elements with a Name attribute.
It seems to be that this predicate never matches everything :
[EventData[(RuleName='HP Networked Printer Installer')]]
My data as an example :
The first one. I can't surpress the event since I don't have one.
The second query confirms that I don't have one.
One is effectively selecting Event nodes.
Are you certain that you have an EventData (under Event) which has an element RuleName equal to something? All of my EventData elements only have Data elements with a Name attribute.
It seems to be that this predicate never matches everything :
[EventData[(RuleName='HP Networked Printer Installer')]]
My data as an example :
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Windows Firewall With Advanced Security" Guid="{D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85}" />
<EventID>2010</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2016-11-02T10:10:20.538089700Z" />
<EventRecordID>3388</EventRecordID>
<Correlation />
<Execution ProcessID="2000" ThreadID="2548" />
<Channel>Microsoft-Windows-Windows Firewall With Advanced Security/Firewall</Channel>
<Computer>Windows-7</Computer>
<Security UserID="S-1-5-19" />
</System>
- <EventData>
<Data Name="InterfaceGuid">{0510C065-0C85-4CD9-968B-4CB7F543A67E}</Data>
<Data Name="InterfaceName">ethernet_21</Data>
<Data Name="OldProfile">4</Data>
<Data Name="NewProfile">2</Data>
</EventData>
</Event>
ASKER
This is what I'm trying to filter out:
I have a related but separate problem that prefaces this filtering issue, which is that this log is littered with these entries. A new one is created every 10 seconds or so. I don't have an HP printer installed on this server and I've deleted all traces of HP devices from the registry, so I don't know where it's coming from.
That said, I want to see what happened two days ago at around 9pm, and all I can find are these entries, so even if I solve the problem going forward, I am left with the need for this filter.
Your help is much appreciated.
I have a related but separate problem that prefaces this filtering issue, which is that this log is littered with these entries. A new one is created every 10 seconds or so. I don't have an HP printer installed on this server and I've deleted all traces of HP devices from the registry, so I don't know where it's coming from.
That said, I want to see what happened two days ago at around 9pm, and all I can find are these entries, so even if I solve the problem going forward, I am left with the need for this filter.
Your help is much appreciated.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It appears to have worked. Using that filter, I still see events and spot checking they all appear to have that 'HP' string contained within.
If the suppress query should then be:
... then I believe I have determined that there are no other records in this log besides the HP Printer records, because this filter displays no results.
If the suppress query should then be:
<QueryList>
<Query Id="0" Path="Microsoft-Windows-Windows Firewall With Advanced Security/Firewall">
<Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/Firewall">
*
</Select>
<Suppress Path="Microsoft-Windows-Windows Firewall With Advanced Security/Firewall">
*[EventData/Data='HP Networked Printer Installer']
</Suppress>
</Query>
</QueryList>
... then I believe I have determined that there are no other records in this log besides the HP Printer records, because this filter displays no results.
That could very well be the case. Unfortunately it's cheese time here, so I'm off to have dinner. Have a look at the results and I'll see you tomorrow.
ASKER
Thank you very much for the assistance!
I see that you are using
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
whereas the docs say
Windows Firewall with Advanced Security.
https://technet.microsoft.com/en-us/library/ff428140(v=ws.10).aspx
I'm not sure whether the "Microsoft" or the "Windows" are required, and ought they to be
"Microsoft/Windows/Windows
It may be (which IS the case in XPath) that the path is case sensitive.