Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

XPath Examples

The following examples describe XPath queries you can use in WinCollect 10 to retrieve customized events from the Windows event logs.

Retrieving DNS analytic logs

In this example, the query retrieves all events that are captured in DNS analytic logs.

Retrieving Sysinternals Sysmon events

In this example, the query retrieves all events that are captured by SysInternals Sysmon.

Monitoring events for a specific user

In this example, the query retrieves events from all Windows event logs for the guest user.

Credential logon for Windows 2008

In this example, the query retrieves specific event IDs from the security log for Information-level events that are associated with the account authentication in Windows 2008.
Table 1: Examples of event IDs used in credential logon
Event ID Description
4776 The domain controller attempted to validate credentials for an account.
4777 The domain controller failed to validate credentials for an account.

Retrieving events based on user

In this example, the query examines event IDs to retrieve specific events for a user account that is created on a fictional computer that contains a user password database.
Table 2: Examples of event IDs used in credential logon
Event ID Description
4720 A user account was created.
4722 A user account was enabled.
4723 An attempt was made to change the password of an account.
4724 An attempt was made to reset password of an account.
4725 A user account was disabled.
4726 A user account was deleted.
4741 A user account was created.
4742 A user account was changed.
4743 A user account was deleted.