Advanced XML filtering in the Windows Event Viewer

Advanced XML filtering in the Windows Event Viewer

  • Comments 12
  • Likes

Hi guys, Joji Oshima here again. Today I want to talk about using Custom Views in the Windows Event Viewer to filter events more effectively. The standard GUI allows some basic filtering, but you have the ability to drill down further to get the most relevant data.
Starting in Windows Vista/2008, you have the ability to modify the XML query used to generate Custom Views.

Limitations of basic filtering:

Basic filtering allows you to display events that meet certain criteria. You can filter by the event level, the source of the event, the Event ID, certain keywords, and the originating user/computer.

image
Basic Filter for Event 4663 of the security event logs

You can choose multiple events that match your criteria as well.

image
Basic filter for Event 4660 & 4663 of the security event logs

A real limitation to this type of filtering is the data inside each event can be very different. 4663 events appear when auditing users accessing objects. You can see the account of the user, and what object they were accessing.

clip_image001 clip_image002
Sample 4663 events for users ‘test5’ and ‘test9’

If you want to see events that are only about user ‘test9’, you need a Custom View and an XML filter.

Using XML filtering and Custom Views:

Custom Views using XML filtering are a powerful way to drill through event logs and only display the information you need. With Custom Views, you can filter on data in the event. To create a Custom View based on the username, right click Custom Views in the Event Viewer and choose Create Custom View.

image

Click the XML Tab, and check Edit query manually. Click ok to the warning popup. In this window, you can type an XML query. For this example, we want to filter by SubjectUserName, so the XML query is:

      <QueryList>
           <Query Id="0">
              <Select Path="Security">
                 *[EventData[Data[@Name='SubjectUserName'] and (Data='test9')]]
               </Select>
           </Query>
      </QueryList>

image

After you type in your query, click the Ok button. A new window will ask for a Name & Description for the Custom View. Add a descriptive name and click the Ok button.

image

You now have a Custom View for any security events that involve the user test9.

image

Take It One Step Further:

Now that we’ve gone over a simple example, let’s look at the query we are building and what else we can do with it. Using XML, we are building a SELECT statement to pull events that meet the criteria we specify. Using the standard AND/OR Boolean operators, we can expand upon the simple example to pull more events or to refine the list.

Perhaps you want to monitor two users - test5 and test9 - for any security events. Inside the search query, we can use the Boolean OR operator to include users that have the name test5 or test9.

The query below searches for any security events that include test5 or test9.

      <QueryList>
           <Query Id="0">
              <Select Path="Security">
                 *[EventData[Data[@Name='SubjectUserName'] and (Data='test5' or Data=’test9’)]]
               </Select>
           </Query>
      </QueryList>

Event Metadata:

At this point you may be asking, where did you come up with SubjectUserName and what else can I filter on? The easiest way to find this data is to find a specific event, click on the details tab, and then click the XML View radio button.

image

From this window, we can see the structure of the Event’s XML metadata. This event has a <System> tag and an <EventData> tag. Each of these data names can be used in the filter and combined using standard Boolean operators.

With the same view, we can examine the <System> metadata to find additional data names for filtering.

image

Now let’s say we are only interested in a specific Event ID involving either of these users. We can incorporate an AND Boolean to filter on the System data.

The query below looks for 4663 events for user test5 or test9.

      <QueryList>
           <Query Id="0">
              <Select Path="Security">
                 *[EventData[Data[@Name='SubjectUserName'] and (Data='test5' or Data='test9')]]
                 and
                 *[System[(EventID='4663')]]
               </Select>
           </Query>
      </QueryList>

Broader Filtering:

Say you wanted to filter on events involving test5 but were unsure if it would be in SubjectUserName, TargetUserName, or somewhere else. You don’t need to specify the specific name that the data can be in, but just search that some data in <EventData> contains test5.

The query below looks for events that any data in <EventData> equals test5.

      <QueryList>
           <Query Id="0">
              <Select Path="Security">
                 *[EventData[Data and (Data='test5')]]
              </Select>
           </Query>
      </QueryList>

Multiple Select Statements:

You can also have multiple select statements in your query to pull different data in the same log or data in another log. You can specify which log to pull from inside the <select> tag, and have multiple <select> tags in the same <query> tag.

The example below will pull 4663 events from the security event log and 1704 events from the application event log.

      <QueryList>
           <Query Id="0">
              <Select Path="Security">*[System[(EventID='4663')]]</Select>
             <Select Path="Application">*[System[(EventID='1704')]]</Select>
           </Query>
      </QueryList>

image

XPath 1.0 Limitations:

Windows Event Log supports a subset of XPath 1.0. There are limitations to what functions work in the query. For instance, you can use the "position", "Band", and "timediff" functions within the query but other functions like "starts-with" and "contains" are not currently supported.

Further Reading:

Create a Custom View
http://technet.microsoft.com/en-us/library/cc709635.aspx

Event Queries and Event XML
http://msdn.microsoft.com/en-us/library/bb399427(v=VS.90).aspx

Consuming Events (Windows)
http://msdn.microsoft.com/en-us/library/dd996910(VS.85).aspx

Conclusion:

Using Custom Views in the Windows Event Log can be a powerful tool to quickly access relevant information on your system. XPath 1.0 has a learning curve but once you get a handle on the syntax, you will be able to write targeted Custom Views.

Joji "the sieve" Oshima

[Check out pseventlogwatcher if you want to combine complex filters with monitoring and automation. It’s made by AskDS superfan Steve Grinker: http://pseventlogwatcher.codeplex.com/ – Neditor]

  • I've recently been looking at PowerShell and the Get-WinEvent cmdlet. It comes with a parameter called "FilterXml", and this can be used to pass an XML query to the cmdlet. I've been constructing my queries using the above method of creating a filter in the event viewer, and then copy it from the XML tab to a PS variable I can then pass to the command. Here's a quick example which gets the last 24 hours Warning, Error and Critical messages from all domain controllers:

    Import-Module ActiveDirectory

    $DomainControllers = Get-ADDomainController -Filter * | Select-Object -ExpandProperty Name

    $Query = @"

       <QueryList>

         <Query Id="0" Path="System">

           <Select Path="System">*[System[(Level=1 or Level=2 or Level=3) and TimeCreated[timediff(@SystemTime) <= 86400000]]]</Select>

           <Select Path="Active Directory Web Services">*[System[(Level=1 or Level=2 or Level=3) and TimeCreated[timediff(@SystemTime) <= 86400000]]]</Select>

           <Select Path="Directory Service">*[System[(Level=1 or Level=2 or Level=3) and TimeCreated[timediff(@SystemTime) <= 86400000]]]</Select>

         </Query>

       </QueryList>

    "@

    ForEach($DC In $DomainControllers) {

       Get-WinEvent -ComputerName $DC -FilterXml $Query -ErrorAction SilentlyContinue

    }

    (Not sure how well it will format)

    This can of course be customized better to include the computer name, display name of the error level, which log it's from etc.

  • Here's another much simplier example. But quite often it is something completely impossible even to start reading Application log without.

    <QueryList>

     <Query Id="0" Path="Application">

       <Select Path="Application">

         *[System[Provider[@Name!='Microsoft-Windows-Security-SPP']]]

       </Select>

     </Query>

    </QueryList>

  • I am really starting to enjoy the new windows event logging. The only thing lacking in 2008 R2 and 7 is the ability to do detailed archiving. I see the setting to tell the log to archive but why would you turn that on just because that is not really a complete solution. If the log were to act list perfmon where it logged directly to a database, that could be created as a event logging "role" using the express db engine and have a web interface to filter and work with the events. Though WSMAN is what I use with the get-winevent, having rich reporting  as part of the central logging would be a winner.

    Thank you for the great info Joji!

  • Superfan, eh?  That smells a little of "groupie", but I'll take it.  :D  Of course you'll never find me wearing AskDS colors and facepaint...

  • Well I *was* gonna say "stalker"...

  • lol...  Ok, then I'll definitely take "superfan"

  • Dear colleagues,

    I have a question regarding filtering of Eventlogs and it concerns the WIN Server 2008.

    I have some applicationlogs which don`t output any clear IventID and I would like to filter this Logs a certain textual content. I would not like to filter after the complete text because the test partly changes. To this I write the following XML query:

    <QueryList>

     <Query Id="0" Path="Application">

       <Select Path="Application">*[EventData[Data and (Data="Text1" or Data="Text2")]]

     </Select>

    </Query>

    </QueryList>

    or

    <QueryList>

     <Query Id="0" Path="Application">

       <Select Path="Application">*[System[Provider[@Name='NameEventSource'] and (Level=2)

        and (EventID=1) and (Data="Text1) and

        *[EventData[Data and (Data="Text1)

     </Select>

     </Query>

    </QueryList>

    Both variants bring none syntax error but also no results and however, the text is contained in many Logs.

    What do I make wrong or how would the query be right?

    Many thanks for your support,

    Maksu

  • Maksu,

    There are probably a couple of different ways to get the data you are looking for.  Below is one example that uses multiple select statements.  The first does a broad search for “Test1” and the second does a broad search for “Test2”.  For this query, if any event in the application log has “Test1” or “Test2” in the event data, it will be displayed with this XML filter.  I hope this helps.

    <QueryList>

     <Query Id="0">

       <Select Path="Application">*[EventData[Data and (Data='Test1')]]</Select>

       <Select Path="Application">*[EventData[Data and (Data='Test2')]]</Select>

     </Query>

    </QueryList>

    Thank you,

    Joji Oshima

  • Hi Joji,

    many thanks for the fast answer.

    Unfortunately it doesn`t work, no result :-(

    The Query:

    <QueryList>

     <Query Id="0" Path="Application">

       <Select Path="Application">*[EventData[Data and (Data='Synchronization')]]</Select>

       <Select Path="Application">*[EventData[Data and (Data='error')]]</Select>

     </Query>

    </QueryList>

    A short example, I have several event logs as follows:

    ERR(JOIN543)  ****** Synchronization 'Identity Domain --> TS' failed; error: "ERR(ASC0134):  Unsupported operation. ".

    Thanks a lot for your support.

    Maksu

  • Maksu -

    Please remember that this is XML filtering, and therefore you can only filter on what is available in the XML data associated with the event. In general, NOT included in this information is the actual text of the event as that is only added when the General tab of the event is displayed.

    To see your filtering options, examine the Details tab of the event you are interested in, and see if there are available data fields on which you could filter to find your information.

    Jonathan Stephens

  • Hi Jonathan,

    thanks a lot for Feedback.

    here are the Information of detail tabs

    General:

    ERR(JOIN543)  ****** Synchronization 'Identity Domain --> TS' failed; error: "ERR(ASC0134):  Unsupported operation. ".

    Details:

    Friendly View:

    - System

     - Provider

      [ Name]  DirX Identity IdS-J-CITCA-S1

      - EventID 1

      [ Qualifiers]  57344

       Level 2

       Task 0

       Keywords 0x80000000000000

      - TimeCreated

      [ SystemTime]  2011-11-22T01:18:49.000Z

       EventRecordID 523665

       Channel Application

       Computer Servername

      Security

    - EventData

      ERR(JOIN543) ****** Synchronization 'Identity Domain --> TS' failed; error: "ERR(ASC0134): Unsupported operation. ".

    Details:

    Friendly View:

    - <Event xmlns="schemas.microsoft.com/.../event">

    - <System>

     <Provider Name="DirX Identity IdS-J-CITCA-S1" />

     <EventID Qualifiers="57344">1</EventID>

     <Level>2</Level>

     <Task>0</Task>

     <Keywords>0x80000000000000</Keywords>

     <TimeCreated SystemTime="2011-11-22T01:18:49.000Z" />

     <EventRecordID>523665</EventRecordID>

     <Channel>Application</Channel>

     <Computer>Servername</Computer>

     <Security />

     </System>

    - <EventData>

     <Data>ERR(JOIN543) ****** Synchronization 'Identity Domain --> TS' failed; error: "ERR(ASC0134): Unsupported operation. ".</Data>

     </EventData>

     </Event>

    Thanks for your Support,

    Maksu