In the new Windows Event Log introduced with Vista (and also in Server 2008), there's a much-improved filtering capability. It offers the ability to get quite specific (beyond the GUI), by writing queries in something it calls "XPath". I've been trying to find a comprehensive treatment of how this works.
Google quickly finds lots of info on a W3C standard called "XPath". I've been giving some of that a quick read, and... it doesn't seem to be quite the same thing. It looks like it has some similar elements, but not exactly the same thing. In particular, everything I've seen on the web seems to use slashes to separate hierarchy, e.g., "/foo/bar/baz". But the Event Log XPath seems to use nexted square brackets, e.g., "[foo[bar[baz]]]". Also, everything says XPath is not itself XML, but the filters clearly have some XML in them. I'm sure my confusion is because I'm missing some fundamentals, but I'm not sure where to get those fundamentals from. Google also finds lots of specific Q&A cases for Event Log filters in particular. I even found the case I was presently dealing with -- find all interactive logons in the "Security" log[1]. But I have no real understanding; I'm just cargo culting. I hate that. [1] = http://www.open-a-socket.com/index.php/2009/04/08/using-xpath-queries-to-filter-events-in-windows-server-2008/ I was hoping for a Microsoft tech reference on this, but I can't find one. Anyone have suggestions? I'm happy to buy a good book, if there is one. advTHANKSance -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
