Folks,
I am trying to craft a custom XML / Xpath filter to the Windows Event Log viewer to exclude the countless "SYSTEM" Logons from the security log's view. I have managed to get this far with the help of the Technet blog on XML filtering:
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[System[(EventID=4624)]]
and
*[EventData[Data[@Name='TargetUserSid'] and (Data!='S-1-5-18')]]
</Select>
</Query>
</QueryList>
But against all expectations I still have events like this one (among others, of course) in the view:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4624</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2013-07-18T15:12:55.797049800Z" />
<EventRecordID>199135861</EventRecordID>
<Correlation />
<Execution ProcessID="496" ThreadID="3028" />
<Channel>Security</Channel>
<Computer>SBS.domain.local</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="TargetUserSid">S-1-5-18</Data>
<Data Name="TargetUserName">SBS$</Data>
<Data Name="TargetDomainName">DOMAIN</Data>
<Data Name="TargetLogonId">0x684af79a</Data>
<Data Name="LogonType">3</Data>
<Data Name="LogonProcessName">Kerberos</Data>
<Data Name="AuthenticationPackageName">Kerberos</Data>
<Data Name="WorkstationName">
</Data>
<Data Name="LogonGuid">{9D5E970C-928D-E3FD-8D96-09044670F33E}</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x0</Data>
<Data Name="ProcessName">-</Data>
<Data Name="IpAddress">fe80::cc18:cb50:1710:c2a7</Data>
<Data Name="IpPort">6413</Data>
</EventData>
</Event>
I have trouble understanding why an event with the TargetUserSid attribute of S-1-5-18 has been included in the view while it should not be. It works in the other direction too - if I define the filter to be *[EventData[Data[@Name='TargetUserSid'] and (Data='S-1-5-18')]], I see events with a different TargetUserSid "slipping through".
Chosing a different (long) SID from a domain object seems to work as expected and gives me a view with the events having TargetUserSid set accordingly only.
I also tried filtering on other attributes like TargetUserName, but only to encounter similar problems.
Any hints on how to fix my query or working examples of similar cases greatly appreciated.
