Still trying to figure this one out. Very strange. This works: get-winEvent -logName Security -FilterXpath "*[System[(EventID=4624)] and EventData[(Data[@Name='LogonProcessName'] = 'Kerberos')]]" -computer MyDC01| ft @{n="TargetUserSid";e={$_.properties[4].value}},@{n="LogonProcessName";e={$_.properties[9].value}}
But none of the other values for LogonProcessName work (NTLM, Advapi, NtLmSsp). I still get: "No events were found that match the specified selection criteria" Christopher Bodnar Enterprise Architect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 christopher_bod...@glic.com The Guardian Life Insurance Company of America www.guardianlife.com ----- Forwarded by Christopher Bodnar/TheGuardian on 08/14/2014 12:27 PM ----- From: Christopher Bodnar/TheGuardian To: NTSysADM@lists.myitforum.com Date: 08/12/2014 05:18 PM Subject: -FilterXpath help Can someone help me with this? This works (lines may wrap): get-winEvent -logName Security -FilterXpath "*[System[(EventID=4624)] and EventData[(Data[@Name='LogonProcessName'])]]" -computer MyDC01| ft @{n="TargetUserSid";e={$_.properties[4].value}},@{n="LogonProcessName";e={$_.properties[9].value}} But this does not: get-winEvent -logName Security -FilterXpath "*[System[(EventID=4624)] and EventData[(Data[@Name='LogonProcessName'] = 'Advapi')]]" -computer MyDC01| ft @{n="TargetUserSid";e={$_.properties[4].value}},@{n="LogonProcessName";e={$_.properties[9].value}} I would like to filter by the value of the LogonProcessName if possible. Thanks Christopher Bodnar Enterprise Architect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 christopher_bod...@glic.com The Guardian Life Insurance Company of America www.guardianlife.com ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you.