[NTSysADM] Fw: -FilterXpath help

Thu, 14 Aug 2014 09:37:55 -0700 

Still trying to figure this one out. Very strange. This works:

get-winEvent -logName Security -FilterXpath "*[System[(EventID=4624)] and 
EventData[(Data[@Name='LogonProcessName'] = 'Kerberos')]]" -computer 
MyDC01|
ft 
@{n="TargetUserSid";e={$_.properties[4].value}},@{n="LogonProcessName";e={$_.properties[9].value}}

But none of the other values for LogonProcessName work (NTLM, Advapi, 
NtLmSsp). I still get:

"No events were found that match the specified selection criteria"



Christopher Bodnar 
Enterprise Architect I, Corporate Office of Technology:Enterprise 
Architecture and Engineering Services 
Tel 610-807-6459 
3900 Burgess Place, Bethlehem, PA 18017 
[email protected] 




The Guardian Life Insurance Company of America

www.guardianlife.com 




----- Forwarded by Christopher Bodnar/TheGuardian on 08/14/2014 12:27 PM 
-----

From:   Christopher Bodnar/TheGuardian
To:     [email protected]
Date:   08/12/2014 05:18 PM
Subject:        -FilterXpath help


Can someone help me with this? This works (lines may wrap):

get-winEvent -logName Security -FilterXpath "*[System[(EventID=4624)] and 
EventData[(Data[@Name='LogonProcessName'])]]" -computer MyDC01|
ft 
@{n="TargetUserSid";e={$_.properties[4].value}},@{n="LogonProcessName";e={$_.properties[9].value}}

But this does not:

get-winEvent -logName Security -FilterXpath "*[System[(EventID=4624)] and 
EventData[(Data[@Name='LogonProcessName'] = 'Advapi')]]" -computer MyDC01|
ft 
@{n="TargetUserSid";e={$_.properties[4].value}},@{n="LogonProcessName";e={$_.properties[9].value}}

I would like to filter by the value of the LogonProcessName if possible.

Thanks

Christopher Bodnar 
Enterprise Architect I, Corporate Office of Technology:Enterprise 
Architecture and Engineering Services 
Tel 610-807-6459 
3900 Burgess Place, Bethlehem, PA 18017 
[email protected] 




The Guardian Life Insurance Company of America

www.guardianlife.com 





-----------------------------------------
This message, and any attachments to it, may contain information that is 
privileged, confidential, and exempt from disclosure under applicable law.  If 
the reader of this message is not the intended recipient, you are notified that 
any use, dissemination, distribution, copying, or communication of this message 
is strictly prohibited.  If you have received this message in error, please 
notify the sender immediately by return e-mail and delete the message and any 
attachments.  Thank you.

Reply via email to