Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, October 9, 2018 1:58 PM
I have this xml generated in the event viewer, I want to filter by the user field inside UserData and I want to see only the notes of a specific user.
I have this xml generated in the event viewer, I want to filter by the user field inside UserData and I want to see only the notes of a specific user.
<Event>.... <UserData>
<EventXML xmlns="Event_NS"> <User>PC\User1</User> <SessionID>7</SessionID> <Address>LOCAL</Address> </EventXML> </UserData>
</Event>
Generated XML info
Filter by the event id, that has been generated by the viewer and is going well. Then I add the UserData line. I do not give with the proper way of doing it following the little documentation that I have found. When I apply this filter, it does not give an error but no entry appears, nor does User1.
<QueryList>
<Query Id="0" Path="Microsoft-Windows-TerminalServices-LocalSessionManager/Operational">
<Select Path="Microsoft-Windows-TerminalServices-LocalSessionManager/Operational">
*[System[(EventID=24 or EventID=21)]]
and
*[Event[UserData[EventXML[@xmlns='Event_NS'] and (User='PC\User1')]]]
</Select>
</Query>
</QueryList>
All replies (3)
Wednesday, October 10, 2018 2:48 AM
Please refer to this blog for some ideas.
Advanced XML filtering in the Windows Event Viewer
Regards
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Wednesday, October 10, 2018 6:42 AM
Yes, that's the page I used to write the code but it does not work for me. I do not see what I do wrong to enter inside the EventXML
In the examples there is no case where there are other labels inside the label same
EventXML xmlns="Event_NS"
Thursday, May 14, 2020 6:39 PM
I know this thread is old but I figured it out! Hopefully it will help someone else out in the future.
I was looking for a solution for this as well but was unable to find one. I eventually kept playing with the syntax until I got it right.
<QueryList>
<Query Id="0" Path="Microsoft-Windows-TerminalServices-LocalSessionManager/Operational">
<Select Path="Microsoft-Windows-TerminalServices-LocalSessionManager/Operational">
*[UserData[EventXML[@xmlns='Event_NS'][User='DOMAIN\USERNAME']]]
</Select>
</Query>
</QueryList>
Omit the "and" and you can continue to drill down. The "@" appears to be a delimiter for spaces when spaces are present in the path.