Windows Event Log, can you xpath filter for string NOT equal?

Question

Is there a way to filter for events where a certain attribute is NOT the given string in Windows (Server 2016) Event Viewer's limited dialect of XPath?

I'm trying to get a view on logon events, but only actual user logons (console and RDP).

This is accepted as a filter, but gives too many results, as if the final AND term is ignored:

<QueryList> <Query Id="0" Path="Security"> <Select Path="Security">
    *[System[(EventID=4624)]]
and *[EventData[Data[@Name='LogonType'] and (Data=1 or Data=8 or Data=9)]]
and *[EventData[Data[@Name='TargetUserName'] and (Data!='SYSTEM')]]
</Select> </Query> </QueryList>

When I change the third test to this, it is flagged as "invalid query".

and not *[EventData[Data[@Name='TargetUserName'] and (Data='SYSTEM')]]

Yet I found an answer to another XPath question that suggests to prefer this form, because != gives the wrong result when one side of the comparison is a set instead of a value.

And the same for this, invalid query

and *[EventData[Data[@Name='TargetUserName'] and not (Data='SYSTEM')]]

or this

and *[EventData[Data[@Name='TargetUserName'] and !(Data='SYSTEM')]]

Untested suggestion: Have you tried `... and (Data!='SYSTEM')` or `... and (not Data='SYSTEM')` ? — Bill Hileman, Mar 20 '18 at 15:48

score 11 · Answer 1 · answered Jul 02 '18 at 16:48

Your query should look like this:

<QueryList> 
    <Query Id="0" Path="Security">
        <Select Path="Security">
            *[System[(EventID=4624)]]
            and *[EventData[Data[@Name='LogonType'] and (Data=1 or Data=8 or Data=9)]]
        </Select>
        <Suppress Path="Security">
            *[EventData[Data[@Name='TargetUserName'] and (Data='SYSTEM')]]
        </Suppress>
    </Query>
</QueryList>

Suppress is the secret

score 2 · Answer 2 · answered Mar 25 '19 at 11:25

You've been caught out by common but wrong examples. Your first DataEvent search asks for records that contain a "LogonType" element, and also has the value 1 or 8 or 10 in any element. It isn't confined to checking the "LogonType" element. This happens to work because only "LogonType" elements contain those values.

To match in any element you write

Data=1

To match in a specific element you need to write:

Data[@Name='SpecificType']=1

for each value, so that query should read:

*[EventData[ (Data[@Name='LogonType']=1 or Data[@Name='LogonType']=8 or Data[@Name='LogonType']=9)]]

The second EventData section is asking for any record that has a data value that doesn't match 'SYSTEM', which is why it returns all of them. It should be:

*[EventData[Data[@Name='TargetUserName']!='SYSTEM']]

You can combine the two

*[EventData[ (Data[@Name='LogonType']=1 or Data[@Name='LogonType']=8 or Data[@Name='LogonType']=9) and Data[@Name='TargetUserName']!='SYSTEM']]

This would seem to be the more efficient way to query (incl. doing 'NOT') as it gets into the proper structure of the data. — Chalky, Apr 03 '21 at 22:05

Windows Event Log, can you xpath filter for string NOT equal?

2 Answers2