Filter Windows Event Security logs by a range of Source IP Address

Question

So i know you could filter by a Source IP Address. But what if you want to filter by a range of Source IP address. i tried

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[(EventID=4624)]] 
      and 
      *[EventData[Data[@Name ='LogonType']='3']] 
      and
      *[EventData[Data[@Name="IpAddress"] and (Data="10.10.22.xxx")]]
   </Select>
  </Query>
</QueryList>

and

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[(EventID=4624)]] 
      and 
      *[EventData[Data[@Name ='LogonType']='3']] 
      and
      *[EventData[Data[@Name="IpAddress"] and (Data="10.10.22.*")]]
   </Select>
  </Query>
</QueryList>

Both doesn't work =(

score 1 · Answer 1 · answered Dec 23 '18 at 03:20

It looks like this question was answered here. Short answer is wildcards are not supported in XPath 1.0, which Windows event logging uses. You'd have to filter again after exporting the events first. Provide the use case and maybe get some other ideas for achieving your goal.

Filter Windows Event Security logs by a range of Source IP Address

1 Answers1