Advanced XML Filering in the Windows Event Viewer

Post author:admin
Post published:September 1, 2016
Post category:IT / Microsoft / Uncategorized / Windows Server

I was trying to filter events on DC to check for NTLM & kerberos authentication. There are limitations using basic filtering.

I can use XML filtering and Custom Views.Custom Views using XML filtering are a powerful way to drill through event logs and only display the information you need. With Custom Views, you can filter on data in the event. To create a Custom View based on the username, right click Custom Views in the Event Viewer and choose Create Custom View.

Click the XML Tab, and check Edit query manually. Click ok to the warning popup. In this window, you can type an XML query. For this example, we want to filter by AuthenticationPackageName, so the XML query is:

<QueryList>
<Query Id=”0″ Path=”Security”>
<Select Path=”Security”>*[EventData[Data[@Name=”AuthenticationPackageName”] = “NTLM“] and System[(EventID=4624)]]</Select>
</Query>
</QueryList>

<QueryList>
<Query Id=”0″ Path=”Security”>
<Select Path=”Security”>*[EventData[Data[@Name=”AuthenticationPackageName”] = “Kerberos“] and System[(EventID=4624)]]</Select>
</Query>
</QueryList>

I am a goal-oriented Infrastructure System Engineer and Information System Security Officer with over 10 years’ of experience in planning and implementation of network, servers, virtualization and security technologies . Background includes hands-on experience with multi-platform, LAN/WAN environments, assessing and implementation of security controls in using ODAA and RMF guidance. Demonstrated record of success in migrating, troubleshooting Servers and increasing efficiency.

You Might Also Like

Windows Password GPO: Increase minimum password length to 15 or more characters

Nessus Findings: SQL Server Using Self-signed Certificate And SHA-1

Rebooting a server/workstation remotely