I've looked at a few different posts but I must be missing something because what I'm constructing isn't working.
Here's the XML code of an example event:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> - <System><Provider Name="ERAS WCF" /> <EventID Qualifiers="0">0</EventID> <Level>4</Level> <Task>0</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2014-07-09T20:32:51.000000000Z" /> <EventRecordID>899070</EventRecordID> <Channel>Application</Channel> <Computer>server.f.q.d.n</Computer> <Security /> </System> - <EventData><Data>User username@f.q.d.n has submitted 'Get BIOS Information' operation from servername to computername.f.q.d.n.</Data> </EventData></Event>
This is my query:
<QueryList><Query Id="0"><Select Path="Application">*[EventData[Data and (Data='computername' or Data='ip.add.re.ss')]]</Select></Query></QueryList>
I always get 0 results, even if I take stabs in the dark:
- *[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5)]]
- *[EventData[Data and (Data='*computername*')]]
- *[EventData[Data and (Data='%computername%')]]
I used this post as my guide for filtering based on content: http://blogs.technet.com/b/askds/archive/2011/09/26/advanced-xml-filtering-in-the-windows-event-viewer.aspx
Also:
I hope this is the right place for this question. This said to post in the server forums, but in the server forums, it said to post here.
I happen to be doing this on a server, but it could just as easily be a desktop.