Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Applications and Services Logs

 

Use the reference information to create a log source that includes the XPath query from the Event Viewer

You must also configure parameters that are not specific to this plug-in.

Table 1: XPath Protocol Parameters

Parameter

Description/Action

Log Source Type

Microsoft Windows Security Event Log

Protocol Configuration

Select WinCollect .

Standard Log Types

Ensure that none of the log type check boxes are selected.

The XPath query defines the log types for the log source.

Forwarded Events

Do not select this check box.

Event Types

Do not select Event Type check boxes. The XPath query defines the log types for the log source.

XPath Query

The XPath query that you defined in Microsoft Event Viewer.

To collect information by using an XPath query, you might be required to enable the Remote Event Log Management option on Windows 2008 and later.

WinCollect Agent

The WinCollect agent that manages this log source.

Creating XPath Queries

An XPath query is a log source parameter that filters specific events when the query communicates with a Windows 2008 or newer event log.

XPath queries use XML notation and are available in JSA when you retrieve events by using the WinCollect protocol.

  1. Create an XPath query by using the Microsoft Event Viewer.

  2. In the Microsoft Event Viewer, create a custom view. The custom view that you create for special events can generate XPath notifications.

  3. Copy the XPath notification that is generated in your XPath query. Copying the XPath notification filters your incoming log source events for specific event data.

Note

To manually create your own XPath queries, you must be proficient with XPath 1.0 and XPath queries

Enabling Remote Log Management on Windows 7

You can enable remote log management only when your log source is configured to remotely poll other Windows operating systems. You can enable remote log management on Windows 7 for XPath queries.

You can enable remote log management on Windows 7 for XPath queries.

  1. On your desktop, select Start >Control Panel.
  2. Click the System and Security icon.
  3. Click Allow a program through Windows Firewall.
  4. If prompted, click Continue.
  5. Click Change Settings.
  6. From the Allowed programs and features pane, select Remote Event Log Management.

    Depending on your network, you might need to correct or select more network types.

  7. Click OK.

Enabling Remote Log Management on Windows 2008

You can enable remote log management only when your log source is configured to remotely poll other Windows operating systems. You can enable remote log management on Windows Server 2008 for XPath queries.

You can enable remote log management on Windows Server 2008 for XPath queries.

  1. On your desktop, select Start >Control Panel.
  2. Click the Security icon.
  3. Click Allow a program through Windows Firewall.
  4. If prompted, click Continue.
  5. From the Exceptions tab, select Remote Event Log Management and click OK.

Enabling Remote Log Management on Windows 2008 R2 and Windows R2

You can enable remote log management only when your log source is configured to remotely poll other Windows operating systems. You can enable remote log management on Windows 2008 R2 and Windows 2012 R2 for XPath queries.

You can enable remote log management on Windows 2008 R2 and Windows 2012 R2 for XPath queries.

  1. On your desktop, select Start >Control Panel.
  2. Click the Window Firewall icon.
  3. Click Allow a program through Windows Firewall.
  4. If prompted, click Continue.
  5. Click Change Settings.
  6. From the Allowed programs and features pane, select Remote Event Log Management check box.

    Depending on your network, you might need to correct or select more network types.

  7. Click OK.

Creating a Custom View

Use the Microsoft Event Viewer to create custom views, which can filter events for severity, source, category, keywords, or specific users.

WinCollect supports up to 10 selected event logs in the XPath query. Event IDs that are suppressed do not contribute towards the limit.

WinCollect log sources can use XPath filters to capture specific events from your logs. To create the XML markup for your XPath Query parameter, you must create a custom view. You must log in as an administrator to use Microsoft Event Viewer.

XPath queries that use the WinCollect protocol the TimeCreated notation do not support filtering of events by a time range. Filtering events by a time range can lead to errors in collecting events.

  1. On your desktop, select Start >Run.
  2. Type the following command:

    Eventvwr.msc

  3. Click OK.
  4. If you are prompted, type the administrator password and press Enter.
  5. Click Action >Create Custom View.

    When you create a custom view, do not select a time range from the Logged list. The Logged list includes the TimeCreated element, which is not supported in XPath queries for the WinCollect protocol.

  6. In Event Level, select the check boxes for the severity of events that you want to include in your custom view.
  7. Select an event source.
  8. Type the event IDs to filter from the event or log source.

    Use commas to separate IDs.

    The following list contains an individual ID and a range: 4133, 4511-4522

  9. From the Task Category list, select the categories to filter from the event or log source.
  10. From the Keywords list, select the keywords to filter from the event or log source.
  11. Type the user name to filter from the event or log source.
  12. Type the computer or computers to filter from the event or log source.
  13. Click the XML tab.
  14. Copy and paste the XML to the XPath Query field of your WinCollect log source configurationNote

    If you specify an XPath query for your log source, only the events that are specified in the query are retrieved by the WinCollect protocol and forwarded to JSA. Check boxes that you select from the Standard Log Type or Event Type are ignored by the log source configuration.

Configure a log source with the XPath query. For more information, see Applications and Services Logs.

XPath Query Examples

Use XPath examples for monitoring events and retrieving logon credentials, as a reference when you create XPath queries.

For more information about XPath queries, see your Microsoft documentation.

Example: Monitoring Events for a Specific User

In this example, the query retrieves events from all Windows event logs for the guest user.

Note

XPath queries cannot filter Windows Forwarded Events.

<QueryList> <Query Id="0" Path="Application"> <Select Path="Application">*[System[(Level=4 or Level=0) and Security[@UserID='S-1-5-21-3709697454-1862423022-1906558702-501 ']]]</Select> <Select Path="Security">*[System[(Level=4 or Level=0) and Security[@UserID='S-1-5-21-3709697454-1862423022-1906558702-501 ']]]</Select> <Select Path="Setup">*[System[(Level=4 or Level=0) and Security[@UserID='S-1-5-21-3709697454-1862423022-1906558702-501 ']]]</Select> <Select Path="System">*[System[(Level=4 or Level=0) and Security[@UserID='S-1-5-21-3709697454-1862423022-1906558702-501 ']]]</Select> </Query> </QueryList>.

Example: Credential Logon for Windows 2008

In this example, the query retrieves specific event IDs from the security log for Information-level events that are associated with the account authentication in Windows 2008.

<QueryList> <Query Id="0" Path="Security"> <Select Path="Security">*[System[(Level=4 or Level=0) and ( (EventID &gt;= 4776 and EventID <= 4777) )]]</Select> </Query> </QueryList>

Table 2: Event IDs Used in Credential Logon Example

ID

Description

4776

The domain controller attempted to validate credentials for an account.

4777

The domain controller failed to validate credentials for an account.

Example: Retrieving Events Based on User

In this example, the query examines event IDs to retrieve specific events for a user account that is created on a fictional computer that contains a user password database.

<QueryList> <Query Id="0" Path="Security"> <Select Path="Security">*[System[(Computer='Password_DB') and (Level=4 or Level=0) and (EventID=4720 or (EventID &gt;= 4722 and EventID <= 4726) or (EventID &gt;= 4741 and EventID <= 4743) )]]</Select> </Query> </QueryList>

Table 3: Event IDs Used in Database Example

ID

Description

4720

A user account was created.

4722

A user account was enabled.

4723

An attempt was made to change the password of an account.

4724

An attempt was made to reset password of an account.

4725

A user account was disabled.

4726

A user account was deleted.

4741

A user account was created.

4742

A user account was changed.

4743

A user account was deleted.

Example: Retrieving DNS Analytic Logs

In this example, the query retrieves all events that are captured in DNS analytic logs.

Example: Retrieving Events with Sysinternals Sysmon

In this example, the query retrieves all events that are captured by SysInternals Sysmon.