Starting in the Windows Vista/Server 2008 time frame, an option was made available to modify or create a XML query to generate Custom Views within the Event Viewer. To create a Custom View, access the Event Viewer application. Right-click on the Custom Views subfolder and select the Create Custom View menu option.
Click on the XML tab and then on the Edit query manually checkbox. Click on the Yes button within the warning dialog box.
Enter text for the XML query. Below is some sample text to search the Security logs for the user account test:
<QueryList>
<Query Id="0" >
<Select Path="Security">
*[EventData[Data[@Name='SubjectUserName'] and (Data='test')]]
</Select>
</Query>
</QueryList>
When finished, give the Custom View entry a name and description.
Queries can include AND/OR operators.
<QueryList><Query Id="0">
<Select Path="Security">
*[EventData[Data[@Name='SubjectUserName'] and (Data='test' or Data=’testtwo’)]]
</Select>
</Query>
</QueryList>
To find additional fields to query on, access the details of an event entry and click on the XML view.
The query below looks for events that any data or field equals test
<QueryList><Query Id="0">
<Select Path="Security">
*[EventData[Data and (Data='test' )]]
</Select>
</Query>
</QueryList>
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.