I am working on a Event Log XML query via PowerShell to collect the logoff events for a manually specified time range in the Security logs. I have the PowerShell code working...just having issues with the XML Query and the results its returning.
So far, this is my code:
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[EventData[Data[@Name='LogonType'] and (Data ='3')]]
and
*[EventData[Data[@Name='TargetUserName'] != 'ComputerA$']]
and
*[EventData[Data[@Name='TargetUserName'] != 'ComputerB$']]
and
*[EventData[Data[@Name='TargetUserName'] != 'ComputerC$']]
and
*[EventData[Data[@Name='TargetUserName'] != 'ComputerD$']]
and
*[EventData[Data[@Name='TargetUserName'] != 'ComputerE$']]
and
*[EventData[Data[@Name='TargetUserName'] != 'ComputerF$']]
and
*[System[(EventID='4634')]]
</Select>
</Query>
</QueryList>
The idea is to query any Event ID of 4634 (Logoff) with the LogonType of 3. I need to exclude a few servers and usernames from the results as they are the Solarwinds monitoring service accounts, etc.
When I have Computer A - E in the XML query, the query works as expected. When I add Computer F to refine the results further, the query goes crazy and starts returning results for EventID 4624, 4634, 4672 and has results that include TargetUserName of the ones I excluded in the XML statement above.
Why does adding ComputerF to the XML list, cause the query to not function properly? Am I hitting some limitation in the XML filter?
Other recent topics
