locked
Event Viewer Custom View RRS feed

  • Question

  • Hi, 

    One of my customer needs to filter event viewer security log only for his branch office. This is a additional domain controller. Currently he is viewing all the logon/logoff events for entire organization. I referred below URL and created below XML query. I tried using "192.168.1.0" & "192.168.1." to list all the computers related to that branch. But it's not successful. Is it possible to get results for the entire subnet or network (eg. 192.168.1.0). I selected "IpAddress" to filter the data, but if there is any better string for filtering data is available please be kind enough to advice me.

    <QueryList> 
               <Query Id="0"> 
                  <Select Path="Security"> 
                     *[EventData[Data[@Name='IpAddress'] and (Data='192.168.1.20')]] 
                   </Select> 
               </Query> 

          </QueryList>

    Thanks,
    Thisaru.
    Monday, June 17, 2013 4:27 PM