Menu Close

How to write event log rules that filter on something other than EventData

How to Clear All Event Logs in Windows 10

Normally, when we write Event log rules, they are simple.  We filter on criteria such as event ID, event source, event level, or even event parameters.  These are standardized in SCOM and cover 99% of the events we encounter.

image

image

I recently came across a situation where these will not work.  A customer wanted to monitor the Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational event log, looking for events where a certificate is imported, but matching on a specific subjectname.

This event is 1006:

image

image

The problem above, is there is no <EventData> section which normally has all the event description and parameters we would use.

So we have no good way to filter on the <UserData> section.

We CAN use a filter using regex in an XPathQuery – however.  Here is an example:

image

//*[name()='SubjectNames']/*[name()='SubjectName']

This expression states that in the event XML payload, if there is ANY match for /SubjectNames/SubjectName based on my criteria, then it will pass the expression filter.

Here is an XML example of the same expression being used:

<Expression> <And> <Expression> <SimpleExpression> <ValueExpression> <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery> </ValueExpression> <Operator>Equal</Operator> <ValueExpression> <Value Type="UnsignedInteger">1006</Value> </ValueExpression> </SimpleExpression> </Expression> <Expression> <SimpleExpression> <ValueExpression> <XPathQuery Type="String">//*[name()='SubjectNames']/*[name()='SubjectName']</XPathQuery> </ValueExpression> <Operator>Equal</Operator> <ValueExpression> <Value Type="String">CN=ws2022.opsmgr.net</Value> </ValueExpression> </SimpleExpression> </Expression> </And> </Expression>

 

 

2 Comments

Leave a Reply

Your email address will not be published.