The following XPATH query allows you to query for all “Audit Failure” events from the Windows Security event log where the user name matches the string “username”. Ideally you’d be able to use a contains(.,“username”) clause instead of the =“username” syntax, but so far I haven’t been able to make that work.
Code Snippet
- <QueryList>
- <Query Id="0" Path="Security">
- <Select Path="Security">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] ]] and (*[System[band(Keywords,4503599627370496)]]) and (*[EventData[Data[@Name="TargetUserName"]="username"]])</Select>
- </Query>
- </QueryList>
If you have some über-cool XPATHs you use to query your event logs, post them to the comments section.
Technorati Tags: Windows Vista,Windows 7,Win7,Server 2008,Windows Server,XML,XPATH,Event Log,Security,Audit Failure