0

I have attempted using a somewhat complex XPath syntax in the EventLogQuery to no avail. I have looked through all Microsoft docs I found by myself and through other posts here. I have primarily looked through these two posts:

EventLogQuery: How to form query string? EventLogQuery time format expected?

Here are the queries, first one grabs all logon events with the LogonType attribute within a data node. This is redundant as all logon events will have this node, so I was going to further narrow the query to only type 11 for testing:

// This works fine
*[System/EventID=4624 and EventData/Data[@Name='LogonType']]
// This is considered invalid
*[System/EventID=4624 and EventData/Data[@Name='LogonType' and text()='11']]

What is wrong with this query and how could I fix it? I would prefer not to have to retrieve every single logon event and then filter again (i.e. loop through returns and only act on those with an 11) as this seems inefficient. I will be querying against domain controllers with millions of events currently on them.

CSharper
  • 1
  • 1

1 Answers1

0

For those still searching, I have likely found what the issue is. Microsoft did not fully implement XPath 1.0 for EventLogQuery. They half implemented it and twisted it into what they saw "useful" for querying events. text() is not a useable function. In order to achieve what I was trying, you have to use extremely long, ugly queries such as the following:

*[System/EventID=4624 and (EventData/Data[@Name='LogonType']='2' or EventData/Data[@Name='LogonType']='3' or EventData/Data[@Name='LogonType']='11')]

CSharper
  • 1
  • 1