<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[System[(
EventID=4624
or EventID=4625
or EventID=4634
)]]
and
*[EventData[(
(
Data[@Name='TargetDomainName'] = 'Abcd'
or Data[@Name='AccountDomain'] = 'XYZ'
)
and
(
Data[@Name='TargetUserName'] != 'U123'
)
)]]
</Select>
</Query>
</QueryList>
References
"Event Viewer - Wikipedia, the free encyclopedia." Wikipedia, the free encyclopedia. N.p., n.d. Web. 19 Oct. 2011.
<http://en.wikipedia.org/wiki/Event_Viewer#Filtering_using_XPath_1.0>.
<http://en.wikipedia.org/wiki/Event_Viewer#Filtering_using_XPath_1.0>.
"Windows Event Viewer CUSTOM XML FILTER | Jamin Quimby Installation & Development Notes." Jamin Quimby .com | Jamin Quimby Installation & Development Notes. N.p., n.d. Web. 19 Oct. 2011.
<http://jaminquimby.com/index.php/microsoft-windows-2008/129-windows-event-viewer-custom-xml-filter>.
<http://jaminquimby.com/index.php/microsoft-windows-2008/129-windows-event-viewer-custom-xml-filter>.
"Event Log Hell (finding user logon & logoff) - Ars Technica OpenForum." Ars Technica. N.p., n.d. Web. 19 Oct. 2011.
<http://arstechnica.com/civis/viewtopic.php?f=17&t=1139356>.
<http://arstechnica.com/civis/viewtopic.php?f=17&t=1139356>.
No comments:
Post a Comment