Solved

XML filtering Windows Event Viewer

Posted on 2016-11-01
10
70 Views
Last Modified: 2016-11-02
Hello,

I am having trouble getting my custom Event Viewer XML filter to work in Windows Server 2008 R2.

What I really want is this, but it does not suppress:

<QueryList>
  <Query Id="0" Path="Microsoft-Windows-Windows Firewall With Advanced Security/Firewall">
    <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/Firewall">
      *
    </Select>
    <Suppress Path="Microsoft-Windows-Windows Firewall With Advanced Security/Firewall">
      *[EventData[(RuleName='HP Networked Printer Installer')]]
    </Suppress>
  </Query>
</QueryList>

Open in new window


But even trying to debug with this does not work, returning no results:

<QueryList>
  <Query Id="0" Path="Microsoft-Windows-Windows Firewall With Advanced Security/Firewall">
    <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/Firewall">
      *[EventData[(RuleName='HP Networked Printer Installer')]]
    </Select>
  </Query>
</QueryList>

Open in new window


I've tried several variations based on online tutorials with no luck. Any help would be much appreciated!
0
Comment
Question by:Filonowst
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 27

Expert Comment

by:BigRat
ID: 41870029
I have no idea about this excepting that often when no results obtained the XPath path is incorrect.
I see that you are using

Microsoft-Windows-Windows Firewall With Advanced Security/Firewall

whereas the docs say

Windows Firewall with Advanced Security.

https://technet.microsoft.com/en-us/library/ff428140(v=ws.10).aspx

I'm not sure whether the "Microsoft" or the  "Windows" are required, and ought they to be
"Microsoft/Windows/Windows Firewall with Advanced Security/Firewall" or perhaps just "Windows Firewall with Advanced Security" (with the "with" in lower case)?

It may be (which IS the case in XPath) that the path is case sensitive.
0
 

Author Comment

by:Filonowst
ID: 41870917
Thank you for the suggestion. I got this syntax from the defaults filter of this view:

Event viewer filter
When I used my select query (the second script from my OP) with slashes instead of dashes, I received an error message stating "The specified channel could not be found." Same error with the other variations you suggested. When I used my select query as shown above (the second script from my OP) , I receive no errors - just no results.
0
 
LVL 27

Expert Comment

by:BigRat
ID: 41870970
Since you are selecting "*" (ie everything) try removing the /Firewall.
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 

Author Comment

by:Filonowst
ID: 41870980
I get the same channel not found error. I think the /Firewall is legitimate because it's a subsection of "Windows Firewall With...".

Event-Viewer-filter.png
0
 
LVL 27

Expert Comment

by:BigRat
ID: 41871017
OK, I have tried to reproduce your queries on my machine.

The first one. I can't surpress the event since I don't have one.
The second query confirms that I don't have one.

One is effectively selecting Event nodes.

Are you certain that you have an EventData (under Event)  which has an element RuleName equal to something? All of my EventData elements only have Data elements with a Name attribute.
It seems to be that this predicate never matches everything :

[EventData[(RuleName='HP Networked Printer Installer')]]

My data as an example :
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-Windows Firewall With Advanced Security" Guid="{D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85}" /> 
  <EventID>2010</EventID> 
  <Version>0</Version> 
  <Level>4</Level> 
  <Task>0</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8000000000000000</Keywords> 
  <TimeCreated SystemTime="2016-11-02T10:10:20.538089700Z" /> 
  <EventRecordID>3388</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="2000" ThreadID="2548" /> 
  <Channel>Microsoft-Windows-Windows Firewall With Advanced Security/Firewall</Channel> 
  <Computer>Windows-7</Computer> 
  <Security UserID="S-1-5-19" /> 
  </System>
- <EventData>
  <Data Name="InterfaceGuid">{0510C065-0C85-4CD9-968B-4CB7F543A67E}</Data> 
  <Data Name="InterfaceName">ethernet_21</Data> 
  <Data Name="OldProfile">4</Data> 
  <Data Name="NewProfile">2</Data> 
  </EventData>
  </Event>

Open in new window

0
 

Author Comment

by:Filonowst
ID: 41871027
This is what I'm trying to filter out:
Event-Viewer-filter.png
I have a related but separate problem that prefaces this filtering issue, which is that this log is littered with these entries. A new one is created every 10 seconds or so. I don't have an HP printer installed on this server and I've deleted all traces of HP devices from the registry, so I don't know where it's coming from.

That said, I want to see what happened two days ago at around 9pm, and all I can find are these entries, so even if I solve the problem going forward, I am left with the need for this filter.

Your help is much appreciated.
0
 
LVL 27

Accepted Solution

by:
BigRat earned 500 total points
ID: 41871044
Aha, it's just a problem of getting the predicate right. First we'll try to filter out what we want to suppress.

<QueryList>
  <Query Id="0" Path="Microsoft-Windows-Windows Firewall With Advanced Security/Firewall">
    <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/Firewall">
      *[EventData/Data='HP Networked Printer Installer']
    </Select>
  </Query>
</QueryList>

Open in new window


This should select all those events which contain a Data element about the printer. Try that first.
0
 

Author Comment

by:Filonowst
ID: 41871055
It appears to have worked. Using that filter, I still see events and spot checking they all appear to have that 'HP' string contained within.

If the suppress query should then be:

<QueryList>
  <Query Id="0" Path="Microsoft-Windows-Windows Firewall With Advanced Security/Firewall">
    <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/Firewall">
      *
    </Select>
    <Suppress Path="Microsoft-Windows-Windows Firewall With Advanced Security/Firewall">
      *[EventData/Data='HP Networked Printer Installer']
    </Suppress>
  </Query>
</QueryList>

Open in new window


... then I believe I have determined that there are no other records in this log besides the HP Printer records, because this filter displays no results.
0
 
LVL 27

Expert Comment

by:BigRat
ID: 41871059
That could very well be the case. Unfortunately it's cheese time here, so I'm off to have dinner. Have a look at the results and I'll see you tomorrow.
0
 

Author Comment

by:Filonowst
ID: 41871061
Thank you very much for the assistance!
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Replace value 2 31
Changing logon server question 5 64
robocopy question 3 28
Offline address book Exchange 2010 Warning 30 25
Introduction In my previous article (http://www.experts-exchange.com/Microsoft/Development/MS-SQL-Server/SSIS/A_9150-Loading-XML-Using-SSIS.html) I showed you how the XML Source component can be used to load XML files into a SQL Server database, us…
You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question