How to modify Server 2012 Event log in Xpath form

Hi,

I have a client for who we enabled File Auditing in the logs.
The audit logs are trucking along just fine.
My question is.

What code do I enter to have a custom log filter which looks for the past 7 days of logs, on EventID 4660,4663 for user x.


When creating a custom filter for event ID 4660,4663 we get back results. Nice & dandy.
When adding the username to this filter the results are blank which appears to be an issue going back to at least server 2008 .
I located some articles on editing the event query manually.
The suggested query code is as per below (Obtained same info pretty much from various resources such as technet, EE, Arstechnica, serverfault)

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
    *[System[(EventID=4660 or EventID=4663)
    and
    TimeCreated[timediff(@SystemTime) &lt;= 2592000000]]
    and
    EventData[Data[@Name='TargetUserName'] and (Data='jane.doe')]
    and
    EventData[Data[@Name='LogonType'] and (Data='10')]]
    </Select>
  </Query>
</QueryList>

Open in new window


This code however does not work.
If I change it to the other suggested entry found on various sites I have similar issues in which nothing shows.

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[(EventID=4660 or EventID=4663) and EventData[Data[@Name='TargetUserName']='jane.doe'] and TimeCreated[timediff(@SystemTime) &lt;= 86400000]]]</Select>
  </Query>
</QueryList>

Open in new window


I had a look for an hour or so but seem to be going around in circles so figured I would see if anyone here has experience with these type of things but it is clearly not my cup of tea (yet).

If anyone has an idea I'd be happy to give it a whirl. Thanks in advance for any guidance.
1.png
2.png
LVL 12
MacleanSystem EngineerAsked:
Who is Participating?
 
footechCommented:
Give this a shot.
<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
    *[System[(EventID=4660 or EventID=4663)
    and
    TimeCreated[timediff(@SystemTime) &lt;= 604800000]]]
    and
    *[EventData[Data[@Name='subjectUsername']='jane.doe']]
    </Select>
  </Query>
</QueryList>

Open in new window

0
 
William MillerInventory/IT ConsultantCommented:
I did find another article in relation to this issue located here:

https://renouncedthoughts.wordpress.com/2014/07/04/event-viewer-filtering-user-events-for-forensics-and-audits/

<QueryList> 
  <Query Id="0" Path="Security"> 
    <Select Path="Security">* [EventData[Data[@Name='subjectUsername']='ma']]</Select> 
  </Query> 
</QueryList>

Open in new window


ma = <UserName> for clarification

It appears this is a filter that works (at least according to the article). I've not tested it myself as I'm not in a location where it would return a result.
0
 
MacleanSystem EngineerAuthor Commented:
Thanks for that info.

I checked and that bit of code works for filtering all events from any time for 1 user.
The oddity is that if I now add the time & event ID, it displays all users and more then merely the selected Event ID's, which is the part throwing me off.

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">* [EventData[Data[@Name='subjectUsername']='jane.doe']]</Select>
    <Select Path="Security">*[System[(EventID=4660 or EventID=4663) and TimeCreated[timediff(@SystemTime) &lt;= 604800000]]]</Select>
  </Query>
</QueryList>

Open in new window


As you can see in the example screenshot it shows for example 5140 & 5145, which I have not specified in the above code.
In addition the account name on some ID's are users John Doe, Mr, Smith, Mrs Smith. Also not specified in the code.

3.png
Hopefully someone has accomplished something similar in the past and knows what I am doing wrong. Assuming the issue is between chair and keyboard :)
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
William MillerInventory/IT ConsultantCommented:
Just a thought but have you tried separating the EventIDs into their own arguments instead of trying for a range?
0
 
MacleanSystem EngineerAuthor Commented:
I think I tried that but no harm trying again. Will do so in a moment when I have some time.
0
 
MacleanSystem EngineerAuthor Commented:
I tried splitting it as per below code

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[(EventID=4660)]]</Select>
    <Select Path="Security">*[System[(EventID=4663)]]</Select>
    <Select Path="Security">* [EventData[Data[@Name='subjectUsername']='jane.doe']]</Select>
  </Query>
</QueryList>

Open in new window


Albeit this does give me only the 2 EventID's I want, it still lists it with various users.
I started doing an online training tutorial for Xpath now but that might be some time before I master it so if you or anyone has any further idea's I am all ears.
Thanks again.
0
 
MacleanSystem EngineerAuthor Commented:
Trying another method through powershell to compare whether it provides the same issues.
Same issue. Can search for EventID's but adding username and boom, query fails.
Starting to wonder if it is the combo of event ID and username that might be the problem.

This works

Get-WinEvent -LogName Security -FilterXPath "*/System[EventID=4660 or EventID=4663]"

Open in new window


This does not.
(No Matching Events Found it claims, even though I can visually confirm the event exists for the user in question)


Get-WinEvent -LogName Security -FilterXPath "*/System/EventID=4660 and */EventData/Data[@Name='TargetUserName']='jane.doe'" 

Open in new window


I am still looking for the Xpath solution as preferred solution,  as client wants a custom filter on the event log, but if easier powershell might be a Plan-B if Xpath is not going to get a lot of hits :)
0
 
MacleanSystem EngineerAuthor Commented:
Just a bump to see if anyone might have some info. If not I will list it for deletion in a few days  :)
0
 
MacleanSystem EngineerAuthor Commented:
That worked. Thanks a lot. Appreciated.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.