Home / server / Questions / 679640
Accepted
Justin
Asked: 2015-04-01 10:05:54 +0800 CST

Trying to filter AccessList = %%1537 in event viewer :/

  • 772

I've got file auditing enabled and I'd like to be able to filter for a given user action. I have set up an XML filter that's pretty basic, but I can't seem to get it to work. I've got it working with a couple of eventdata categories other than AccessList such as HandleId and SubjectUserName.

<QueryList> 
 <Query Id="0" Path="Security"> 
  <Select Path="Security"> 
   *[EventData[Data[@Name='AccessList'] and (Data='%%1537')]] 
  </Select> 
 </Query> 
</QueryList>

I'm trying to find the following:

<Event>
 <EventData>
  <Data Name="AccessList">%%1537</Data>
 </EventData>
</Event>

Can anyone offer some guidance?

windows-server-2008-r2

2 Answers

  1. Best Answer

    You need to add &#xD;&#xA;&#x09;&#x09;&#x09;&#x09; after %%1537

    &#x09; -- the Tab

    &#xA; -- newline

    &#xD; -- carriage return

    <QueryList> 
 <Query Id="0" Path="Security"> 
  <Select Path="Security"> 
   *[EventData[Data[@Name='AccessList'] and (Data='%%1537&#xD;&#xA;&#x09;&#x09;&#x09;&#x09;')]] 
  </Select> 
 </Query> 
</QueryList>

    Reference: https://social.technet.microsoft.com/Forums/windowsserver/en-US/bd136cf0-fb9e-48a1-ae2f-3cd4290ab973/issue-with-custom-build-xml-query-in-event-viewer?forum=winserverpowershell

    • 2

  2. You could use hex value instead of schema value,

    Eg. %%1537 = 0x10000

    So the query will be,

    <QueryList> 
 <Query Id="0" Path="Security"> 
  <Select Path="Security"> 
   *[EventData[Data[@Name='AccessList'] and (Data='0x10000')]] 
  </Select> 
 </Query> 
</QueryList>
    • 0