My thoughts and tips from my work life.

Monday, June 28, 2010

Query Windows 7/Vista/Server 2008 Security Log for Login Failures using an XPATH

6:49 PM Posted by erikpt No comments

The following XPATH query allows you to query for all “Audit Failure” events from the Windows Security event log where the user name matches the string “username”.  Ideally you’d be able to use a contains(.,“username”) clause instead of the =“username” syntax, but so far I haven’t been able to make that work.

Code Snippet
  1. <QueryList>
  2.   <Query Id="0" Path="Security">
  3.     <Select Path="Security">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] ]] and (*[System[band(Keywords,4503599627370496)]]) and (*[EventData[Data[@Name="TargetUserName"]="username"]])</Select>
  4.   </Query>
  5. </QueryList>

If you have some ├╝ber-cool XPATHs you use to query your event logs, post them to the comments section.

© 2006-2015 Erik Pitti, All Rights Reserved. Powered by Blogger.