3

I want to deploy a centralized log analysis tool on my domain. I'm currently configuring Windows to audit a shared network drive (read, write, access attempt of domain users) to forward Windows events to my server.

Since Windows audit logs are REALLY NOISY (I mean events 4663,4656 (system32, C:\Windows, applications...)), basic filtering is not sufficient for me. Ideally I would like to get only the events of this folder, for example C:\MyFolder, with a customised view.

After checking some documentation, I didn't see anything about "ObjectName" Filtering, and I'm not quite sure it is possible...

I tried this syntax and many others (by replacing \ with \, by naming a single file instead of the folder, "EventData..." instead of *[EventData...]...), but anyway I can't get any logs inside.

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
       *[System[(EventID='4663' or EventID='4656')]] //it works
       and
       *[EventData[Data[@Name='ObjectName']and(Data='C:\MyFolder*')]]
     </Select>
  </Query>
</QueryList>

Then, I'm not sure I can use '*', I thought it should be the only way to do it with XPath1.0 since it is really limited with functions.

Do you have an idea?

Aexyn
  • 31
  • 1
  • 2
  • Sadly, I don't think this is possible, since Microsoft's XPath support is pretty limited. Wildcards are not supported, and most of the standard string methods from the XPath standard are not supported in the Windows event viewer. They supposedly support the position() function, but I wasn't able to get it to work so far. If you Google "xpath windows event viewer position" then you'll find a bunch of other serverfault etc. entries. – Lucky Luke Jun 17 '16 at 20:58

0 Answers0