none
Event log filter to exclude a specific Target Account Name RRS feed

  • Question

  • I'm currently using the following XPath filter to show logs for user account creations and deletions:

    <QueryList>
      <Query Id="0" Path="Security">
        <Select Path="Security">*[System[(EventID=4720 or EventID=4726)]]</Select>
      </Query>
    </QueryList>

    Is there a way for me to exclude a Target Account Username (not a Subject Account Username)?  Basically, I want to see events when user accounts are created or deleted except for a specific user account.

    Thursday, August 29, 2019 2:48 PM

All replies

  • Hi Edd B,

    Please provide more context and details.

    It is not clear what API you are using.

    What is the structure of the XML you are querying?

    Thursday, August 29, 2019 2:55 PM
  • I've setup a subscription to do Event log forwarding on a Windows 2012 R2 server.  The previous post is the XML\XPath Query Filter I am currently using for the Events to collect on the subscription.
    Thursday, August 29, 2019 7:15 PM