Normally, when we write Event log rules, they are simple. We filter on criteria such as event ID, event source, event level, or even event parameters. These are standardized in SCOM and cover 99% of the events we encounter.
I recently came across a situation where these will not work. A customer wanted to monitor the Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational event log, looking for events where a certificate is imported, but matching on a specific SubjectName.
This event is 1006:
The problem above, is there is no <EventData> section which normally has all the event description and parameters we would use.
So we have no good way to filter on the <UserData> section.
We CAN use a filter using regex in an XPathQuery – however. Here is an example:
//*[name()='SubjectNames']/*[name()='SubjectName']
This expression states that in the event XML payload, if there is ANY match for /SubjectNames/SubjectName based on my criteria, then it will pass the expression filter. The example above works when there can be multiple Subject Names.
Here is an XML example of the same expression being used:
<Expression> <And> <Expression> <SimpleExpression> <ValueExpression> <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery> </ValueExpression> <Operator>Equal</Operator> <ValueExpression> <Value Type="UnsignedInteger">1006</Value> </ValueExpression> </SimpleExpression> </Expression> <Expression> <SimpleExpression> <ValueExpression> <XPathQuery Type="String">//*[name()='SubjectNames']/*[name()='SubjectName']</XPathQuery> </ValueExpression> <Operator>Equal</Operator> <ValueExpression> <Value Type="String">CN=ws2022.opsmgr.net</Value> </ValueExpression> </SimpleExpression> </Expression> </And> </Expression>
Here are some additional expression filter examples:
Essentially: //* will search anywhere in the Event data payload.
To filter on a specific Account name:
//*[name()='CertNotificationData']/@AccountName
To filter on a specific Template Name:
//*[name()='Template']/@Name
To filter on a specific Process Name:
//*[name()='CertNotificationData']/@ProcessName
To filter on a specific Action, it is slightly different, because the value sites between two XML tags:
//*[name()='Action']
To filter on a specific Thumbprint:
//*[name()='CertificateDetails']/@Thumbprint
To filter on a specific EKU Name of Client Authentication with a specific OID:
//*[name()='EKU'][@Name='Client Authentication']/@OID
Many thanks Kevin for all awesome informations/trick/tips during all many years
Greetings from France
Thanks Kevin, awesome stuff.
Thanks Kevin.