No announcement yet.

Filter events in Vista

  • Filter
  • Time
  • Show
Clear All
new posts

  • Filter events in Vista


    I have the following problem: I would take control of the IP Adresses who access my computer.

    For this I accessed my computer from a second PC and controlled the event viewer. I have made a custom view to filter all security events, that have the ID 4624. Unfortunately there are a lot of other events associated with this event ID. How can I filter the events more detailed, so to show only the events who contain an IP Adress?

    thanks maria

  • #2
    Re: Filter events in Vista

    I dont have the time to dig right now but I believe you can write a custom filter in the xml tab using XPath. Lots of kids activities to take care of today, but if I get a chance I will see if I can figure it out tonight.

    If you want look into it, I would pull up a event that you know is one you want to include and look at it in XML view to find out the fields you will need to query on. Then just need to figure you the XPath query.

    Hope that helps...



    • #3
      Re: Filter events in Vista

      Ok, the OP is probably long gone, but I have been looking into this when I have some free time and could use the help of some more seasoned developers. I can barely find any information in how to use this in Event Viewer.

      I have narrowed the query down to the following:

      <Query Id="0" Path="Security">
      <Select Path="Security">*[System[(EventID=4624)] and EventData[(Data[@Name="IpAddress"])]]</Select>

      but I cant seem to be able to query the data in the IpAddress field. I was thinking setting up a wildcard for the different IPs that could be there, but then I thought about using the <Supress> to remove any events that only show "-" for IPAddress.

      The best documentation I have been able to find is at: but even that is pretty sparse.

      I am basing this off the following event for the full XML:

      - <Event xmlns="">
      - <System>
      <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
      <TimeCreated SystemTime="2008-06-09T10:39:30.473Z" />
      <Correlation />
      <Execution ProcessID="696" ThreadID="816" />
      <Security />
      - <EventData>
      <Data Name="SubjectUserSid">S-1-5-18</Data>
      <Data Name="SubjectUserName">DAVE-PC$</Data>
      <Data Name="SubjectDomainName">WORKGROUP</Data>
      <Data Name="SubjectLogonId">0x3e7</Data>
      <Data Name="TargetUserSid">S-1-5-18</Data>
      <Data Name="TargetUserName">SYSTEM</Data>
      <Data Name="TargetDomainName">NT AUTHORITY</Data>
      <Data Name="TargetLogonId">0x3e7</Data>
      <Data Name="LogonType">5</Data>
      <Data Name="LogonProcessName">Advapi</Data>
      <Data Name="AuthenticationPackageName">Negotiate</Data>
      <Data Name="WorkstationName" />
      <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
      <Data Name="TransmittedServices">-</Data>
      <Data Name="LmPackageName">-</Data>
      <Data Name="KeyLength">0</Data>
      <Data Name="ProcessId">0x2ac</Data>
      <Data Name="ProcessName">C:\Windows\System32\services.ex e</Data>
      <Data Name="IpAddress">-</Data>
      <Data Name="IpPort">-</Data>

      Any help or point to a better resource would be greatly appreciated!



      • #4
        Re: Filter events in Vista

        Ok I got a working query thanks to some help from Phil Fearon over on the Technet forums.

        The final query should looks like this:

        <Query Id="0" Path="Security">
        <Select Path="Security">*[System[(EventID=4624)]]</Select>
        <Suppress Path="Security">*[EventData[Data[@Name="IpAddress"] = "-" ]]</Suppress>

        It is first filtering on Event 4624 and then it suppresses any record that doesn't have a valid IP address.

        Hopefully the OP hasn't given up! It was interesting to chase this one down, because there is very little documentation out there on this feature of event viewer, and the implementation of Xpath is not standard in its queries.

        Have a great weekend!



        • #5
          Re: Filter events in Vista

          Nice work Dave. Here come your reps.