EDN Admin
Well-known member
Im trying to create an XML filter on a Windows 2008 machine to filter forwarded security logs from a Windows 2003 server. In particular I only want to see the security event logs that contain the WRITE_DAC attribute to determine when a file or folder permission
has changed.
Based on the XML below I believe that I want to create a filter to look for the %%1539 data value.
<div style="text-indent:-2em <span><span>
<div style="text-indent:-2em - <span><<span>Event<span> xmlns<span>=" http://schemas.microsoft.com/win/2004/08/events/event <span>"<span> xml:lang<span>=" en-US <span>"<span>>
<div style="text-indent:-2em - <span><<span>System<span>>
<div style="text-indent:-2em <span> <span><<span>Provider
<span>Name<span>=" Security <span>"<span> />
<div style="text-indent:-2em <span> <span><<span>EventID<span> Qualifiers<span>=" 0 <span>"<span>><span>560<span></<span>EventID<span>>
<div style="text-indent:-2em <span> <span><<span>Level<span>><span>0<span></<span>Level<span>>
<div style="text-indent:-2em <span> <span><<span>Task<span>><span>3<span></<span>Task<span>>
<div style="text-indent:-2em <span> <span><<span>Keywords<span>><span>0xa0000000000000<span></<span>Keywords<span>>
<div style="text-indent:-2em <span> <span><<span>TimeCreated
<span>SystemTime<span>=" 2012-01-24T11:11:44.000Z <span>"<span> />
<div style="text-indent:-2em <span> <span><<span>EventRecordID<span>><span>36249353<span></<span>EventRecordID<span>>
<div style="text-indent:-2em <span> <span><<span>Channel<span>><span>Security<span></<span>Channel<span>>
<div style="text-indent:-2em <span> <span><<span>Computer<span>>HOSTNAME<span></<span>Computer<span>>
<div style="text-indent:-2em <span> <span><<span>Security
<span>UserID<span>=" SID <span>"<span> />
<span> <span></<span>System<span>>
<div style="text-indent:-2em - <span><<span>EventData<span>>
<div style="text-indent:-2em <span> <span><<span>Data<span>><span>Security<span></<span>Data<span>>
<div style="text-indent:-2em <span> <span><<span>Data<span>><span>File<span></<span>Data<span>>
<div style="text-indent:-2em <span> <span><<span>Data<span>><span>C:Test<span></<span>Data<span>>
<div style="text-indent:-2em <span> <span><<span>Data<span>><span>1536<span></<span>Data<span>>
<div style="text-indent:-2em <span> <span><<span>Data<span>><span>0<span></<span>Data<span>>
<div style="text-indent:-2em <span> <span><<span>Data<span>><span>471088108<span></<span>Data<span>>
<div style="text-indent:-2em <span> <span><<span>Data<span>><span>2552<span></<span>Data<span>>
<div style="text-indent:-2em <span> <span><<span>Data<span>><span>C:WINDOWSexplorer.exe<span></<span>Data<span>>
<div style="text-indent:-2em <span> <span><<span>Data<span>>adminuser<span></<span>Data<span>>
<div style="text-indent:-2em <span> <span><<span>Data<span>>CONTOSO<span></<span>Data<span>>
<div style="text-indent:-2em <span> <span><<span>Data<span>><span>(0x0,0xEB71278)<span></<span>Data<span>>
<div style="text-indent:-2em <span> <span><<span>Data<span>><span>-<span></<span>Data<span>>
<div style="text-indent:-2em <span> <span><<span>Data<span>><span>-<span></<span>Data<span>>
<div style="text-indent:-2em <span> <span><<span>Data<span>><span>-<span></<span>Data<span>>
<div style="text-indent:-2em <span> <span><<span>Data<span>><span>%%1538 %%1539 %%4423<span></<span>Data<span>>
<div style="text-indent:-2em <span> <span><<span>Data<span>><span>-<span></<span>Data<span>>
<div style="text-indent:-2em <span> <span><<span>Data<span>><span>0<span></<span>Data<span>>
<div style="text-indent:-2em <span> <span><<span>Data<span>><span>0x60080<span></<span>Data<span>>
<span> <span></<span>EventData<span>>
<div style="text-indent:-2em <span> <span><<span>RenderingInfo
<span>Culture<span>=" en-US <span>"<span> />
<span> <span></<span>Event<span>>
What I have tried which doesnt work is
<QueryList><br/>
<Query Id="0" Path="ForwardedEvents <br/>
<Select Path="ForwardedEvents <br/>
*[EventData[Contains(Data=%%1539)]]<br/>
</Select><br/>
</Query><br/>
</QueryList>
Any assistance is greatly appreciated.
View the full article
has changed.
Based on the XML below I believe that I want to create a filter to look for the %%1539 data value.
<div style="text-indent:-2em <span><span>
<div style="text-indent:-2em - <span><<span>Event<span> xmlns<span>=" http://schemas.microsoft.com/win/2004/08/events/event <span>"<span> xml:lang<span>=" en-US <span>"<span>>
<div style="text-indent:-2em - <span><<span>System<span>>
<div style="text-indent:-2em <span> <span><<span>Provider
<span>Name<span>=" Security <span>"<span> />
<div style="text-indent:-2em <span> <span><<span>EventID<span> Qualifiers<span>=" 0 <span>"<span>><span>560<span></<span>EventID<span>>
<div style="text-indent:-2em <span> <span><<span>Level<span>><span>0<span></<span>Level<span>>
<div style="text-indent:-2em <span> <span><<span>Task<span>><span>3<span></<span>Task<span>>
<div style="text-indent:-2em <span> <span><<span>Keywords<span>><span>0xa0000000000000<span></<span>Keywords<span>>
<div style="text-indent:-2em <span> <span><<span>TimeCreated
<span>SystemTime<span>=" 2012-01-24T11:11:44.000Z <span>"<span> />
<div style="text-indent:-2em <span> <span><<span>EventRecordID<span>><span>36249353<span></<span>EventRecordID<span>>
<div style="text-indent:-2em <span> <span><<span>Channel<span>><span>Security<span></<span>Channel<span>>
<div style="text-indent:-2em <span> <span><<span>Computer<span>>HOSTNAME<span></<span>Computer<span>>
<div style="text-indent:-2em <span> <span><<span>Security
<span>UserID<span>=" SID <span>"<span> />
<span> <span></<span>System<span>>
<div style="text-indent:-2em - <span><<span>EventData<span>>
<div style="text-indent:-2em <span> <span><<span>Data<span>><span>Security<span></<span>Data<span>>
<div style="text-indent:-2em <span> <span><<span>Data<span>><span>File<span></<span>Data<span>>
<div style="text-indent:-2em <span> <span><<span>Data<span>><span>C:Test<span></<span>Data<span>>
<div style="text-indent:-2em <span> <span><<span>Data<span>><span>1536<span></<span>Data<span>>
<div style="text-indent:-2em <span> <span><<span>Data<span>><span>0<span></<span>Data<span>>
<div style="text-indent:-2em <span> <span><<span>Data<span>><span>471088108<span></<span>Data<span>>
<div style="text-indent:-2em <span> <span><<span>Data<span>><span>2552<span></<span>Data<span>>
<div style="text-indent:-2em <span> <span><<span>Data<span>><span>C:WINDOWSexplorer.exe<span></<span>Data<span>>
<div style="text-indent:-2em <span> <span><<span>Data<span>>adminuser<span></<span>Data<span>>
<div style="text-indent:-2em <span> <span><<span>Data<span>>CONTOSO<span></<span>Data<span>>
<div style="text-indent:-2em <span> <span><<span>Data<span>><span>(0x0,0xEB71278)<span></<span>Data<span>>
<div style="text-indent:-2em <span> <span><<span>Data<span>><span>-<span></<span>Data<span>>
<div style="text-indent:-2em <span> <span><<span>Data<span>><span>-<span></<span>Data<span>>
<div style="text-indent:-2em <span> <span><<span>Data<span>><span>-<span></<span>Data<span>>
<div style="text-indent:-2em <span> <span><<span>Data<span>><span>%%1538 %%1539 %%4423<span></<span>Data<span>>
<div style="text-indent:-2em <span> <span><<span>Data<span>><span>-<span></<span>Data<span>>
<div style="text-indent:-2em <span> <span><<span>Data<span>><span>0<span></<span>Data<span>>
<div style="text-indent:-2em <span> <span><<span>Data<span>><span>0x60080<span></<span>Data<span>>
<span> <span></<span>EventData<span>>
<div style="text-indent:-2em <span> <span><<span>RenderingInfo
<span>Culture<span>=" en-US <span>"<span> />
<span> <span></<span>Event<span>>
What I have tried which doesnt work is
<QueryList><br/>
<Query Id="0" Path="ForwardedEvents <br/>
<Select Path="ForwardedEvents <br/>
*[EventData[Contains(Data=%%1539)]]<br/>
</Select><br/>
</Query><br/>
</QueryList>
Any assistance is greatly appreciated.
View the full article