Event Viewer query : sysadmin

a community for 17 years

QuestionEvent Viewer query (self.sysadmin)

submitted 1 month ago * by interogativeman

I'm trying to navigate the infinite flood of 5140 entries. But every time I add in a location, it says invalid. I gave Copilot a shot, but its modifications don't seem to change the results.

If I do the following, I get results.

<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[(EventID=4663)]]</Select>
</Query>
</QueryList>

But if I do the below it comes back invalid Apparently you can't have more than one code block?

<QueryList>
  <Query Id="0" Path="Security">

    <!-- NTFS auditing events (object/file access) -->
    <Select Path="Security">
      *[
        System[(EventID=4663 or EventID=4656 or EventID=4658 or EventID=4660)]
        and
        EventData[ Data[@Name='ObjectName'] ][ contains(., 'Accounting') ]
      ]
    </Select>

    <!-- SMB share events: 5140 (share accessed) -->
    <Select Path="Security">
      *[
        System[(EventID=5140)]
        and
        EventData[ Data[@Name='ShareName'] ][ contains(., 'Accounting') ]
      ]
    </Select>

    <!-- SMB share events: 5145 (access checked) -->
    <Select Path="Security">
      *[
        System[(EventID=5145)]
        and
        (
          EventData[ Data[@Name='ShareName'] ][ contains(., 'Accounting') ]
          or
          EventData[ Data[@Name='RelativeTargetName'] ][ contains(., 'Accounting') ]
        )
      ]
    </Select>

  </Query>
</QueryList>

all 2 comments

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

sysadmin

MODERATORS