XPath Examples
The following examples describe XPath queries you can use in WinCollect 10 to retrieve customized events from the Windows event logs.
Retrieving DNS analytic logs
In this example, the query retrieves all events that are captured in DNS analytic logs.
<QueryList> <Query Id="0" Path="Microsoft-Windows-DNSServer/Analytical"> <Select Path="Microsoft-Windows-DNSServer/Analytical">*</Select> </Query> </QueryList>
Retrieving Sysinternals Sysmon events
In this example, the query retrieves all events that are captured by SysInternals Sysmon.
<QueryList> <Query Id="0" Path="Microsoft-Windows-Sysmon/Operational"> <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select> </Query> </QueryList>
Monitoring events for a specific user
In this example, the query retrieves events from all Windows event logs for the guest
user.
<QueryList> <Query Id="0" Path="Application"> <Select Path="Application">*[System[(Level=4 or Level=0) and Security[@UserID='S-1-5-21-3709697454-1862423022-1906558702-501 ']]]</Select> <Select Path="Security">*[System[(Level=4 or Level=0) and Security[@UserID='S-1-5-21-3709697454-1862423022-1906558702-501 ']]]</Select> <Select Path="Setup">*[System[(Level=4 or Level=0) and Security[@UserID='S-1-5-21-3709697454-1862423022-1906558702-501 ']]]</Select> <Select Path="System">*[System[(Level=4 or Level=0) and Security[@UserID='S-1-5-21-3709697454-1862423022-1906558702-501 ']]]</Select> </Query> </QueryList>
Credential logon for Windows 2008
In this example, the query retrieves specific event IDs from the security log for
Information-level events that are associated with the account authentication in Windows
2008.
<QueryList> <Query Id="0" Path="Security"> <Select Path="Security">*[System[(Level=4 or Level=0) and ( (EventID >= 4776 and EventID <= 4777) )]]</Select> </Query> </QueryList>
Event ID | Description |
---|---|
4776 | The domain controller attempted to validate credentials for an account. |
4777 | The domain controller failed to validate credentials for an account. |
Retrieving events based on user
In this example, the query examines event IDs to retrieve specific events for a user account that
is created on a fictional computer that contains a user password database.
<QueryList> <Query Id="0" Path="Security"> <Select Path="Security">*[System[(Computer='Password_DB') and (Level=4 or Level=0) and (EventID=4720 or (EventID >= 4722 and EventID <= 4726) or (EventID >= 4741 and EventID <= 4743) )]]</Select> </Query> </QueryList>
Event ID | Description |
---|---|
4720 | A user account was created. |
4722 | A user account was enabled. |
4723 | An attempt was made to change the password of an account. |
4724 | An attempt was made to reset password of an account. |
4725 | A user account was disabled. |
4726 | A user account was deleted. |
4741 | A user account was created. |
4742 | A user account was changed. |
4743 | A user account was deleted. |