1

I'm trying to start a task that gets triggered by specific events. The XML configuration for the filter I'm using is the following:

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
    *[System[(Level=4 or Level=0) and (EventID=5145)]]and
*[EventData[Data[@Name='AccessList'] and (Data='%%1538&#xD;&#xA;&#x09;&#x09;&#x09;&#x09;%%4416&#xD;&#xA;&#x09;&#x09;&#x09;&#x09;%%4419&#xD;&#xA;&#x09;&#x09;&#x09;&#x09;%%4423&#xD;&#xA;&#x09;&#x09;&#x09;&#x09;')]]and
*[EventData[Data[@Name='ShareName'] and (Data='\\*\Justin-Archiv')]]
    </Select>
  </Query>
</QueryList>

The configuration works fine when used with the event viewer. However the task doesnt get triggered if a new event matching the criteria happens. After removing the

*[EventData[Data[@Name='AccessList'] and (Data='%%1538&#xD;&#xA;&#x09;&#x09;&#x09;&#x09;%%4416&#xD;&#xA;&#x09;&#x09;&#x09;&#x09;%%4419&#xD;&#xA;&#x09;&#x09;&#x09;&#x09;%%4423&#xD;&#xA;&#x09;&#x09;&#x09;&#x09;')]]

part, the event gets triggered. So there has to be a problem with that part.

Thanks alot in advance!

Maurice
  • 11
  • 3
  • I would assume that the access list is different between the events, have you looked at that? – Lucky Luke Jul 23 '15 at 16:03
  • How would the AccessList be different? The task should trigger at that specific event. – Maurice Jul 24 '15 at 09:52
  • The AccessList is a dynamic part of the event, so if it's just one character differs, the query condition "and Data='..." won't work anymore. That's almost certainly the reason it's not working. But without seeing the events it's hard to say. Are you sure the events are identical? – Lucky Luke Jul 24 '15 at 13:48

0 Answers0