THis may help: http://msdn.microsoft.com/en-us/library/bb399427.aspx
In my experience, I've been able to muddle through whenever I've needed to write something, but it takes me 10 times longer than it probably should. I'm far from an expert when it comes to searching xml. ________________________________________ From: Ben Scott [[email protected]] Sent: Friday, October 16, 2009 9:01 AM To: NT System Admin Issues Subject: Re: Windows Event Log filtering with XPath (Vista/2008) On Fri, Oct 16, 2009 at 8:45 AM, Michael B. Smith <[email protected]> wrote: > Have you seen the XPath reference document? > > http://msdn.microsoft.com/en-us/library/ms256115.aspx Yah, but I'm having trouble aligning that with what I see in the Event Log filters. Here's one of the XPath query examples from Microsoft's document: author[not(last-name = "Bob")] Here's one of the more complicated XPath examples I've been able to find, from a third-party document: //GGG/ancestor::* | //GGG/descendant::* | //GGG/following::* | //GGG/preceding::* | //GGG/self::* And here's what an Event Log filter looks like: <QueryList> <Query Id=”0? Path=”Security”> <Select Path=”Security”> *[system[provid...@name="Microsoft-Windows-Security-Auditing"] and (EventID=4624)] and eventdata[da...@name="LogonType"] = "2"]] </Select> </Query> </QueryList> I'm guessing what an Event Log filter does is wrap an XPath query in some XML, but I'm not at all sure of the semantics of that XML, especially when multiple SELECT and QUERY elements are involved. I also don't get how that query is anything like all the other XPath query examples I've seen. I keep trying to go back to basics, and I'm not finding any common ground between all these XPath tutorials and what Event Log actually does. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
