Windows 2008 R2 Event Log XML query wildcard syntax (Network Steve Forum)

Windows 2008 R2 Event Log XML query wildcard syntax

I have been trying to use the XML Filter capabilities with the Windows 2008 R2 event logs. I am attempting to narrow down the clear text binds that are occurring against the directory service. Event 2889 is logged in the Directory Services event log every time something attempts a clear text bind. A sample Event 2889 is below (XML version). I would like to filter the events based on IP address (EventData/Data[1] element). Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event" xml:lang="en-US"> <System> <Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS General" /> <EventID Qualifiers="16384">2889</EventID> <Version>0</Version> <Level>4</Level> <Task>16</Task> <Opcode>0</Opcode> <Keywords>0x8080000000000000</Keywords> <TimeCreated SystemTime="2011-08-23T16:34:32.581728800Z" /> <EventRecordID>4125653</EventRecordID> <Correlation /> <Execution ProcessID="576" ThreadID="2868" /> <Channel>Directory Service</Channel> <Computer>DOMAIN.CONTROLLER.FQDN</Computer> <Security UserID="S-1-5-7" /> </System> <EventData> <Data>192.168.1.1:36095</Data> <Data>DOMAIN\USER</Data> </EventData> <RenderingInfo Culture="en-US"> <Message>The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a cleartext (non-SSL/TLS-encrypted) LDAP connection. The following three queries work as expected: <QueryList> <Query Id="0" Path="Directory Service"> <Select Path="Directory Service">*[System[(EventID=2889)]] and *[EventData[Contains(Data[1]='192.168.1.1:36095')]]</Select> </Query> </QueryList> and <QueryList> <Query Id="0" Path="Directory Service"> <Select Path="Directory Service">*[System[(EventID=2889)]] and *[EventData[Data and (Data="DOMAIN\USER")]] </Select> </Query> </QueryList> and <QueryList> <Query Id="0" Path="Directory Service"> <Select Path="Directory Service">*[System[(EventID=2889)]] and *[EventData[Data[2]="DOMAIN\USER"]] </Select> </Query> </QueryList> The following queries do NOT work: <QueryList> <Query Id="0" Path="Directory Service"> <Select Path="Directory Service">*[System[(EventID=2889)]] and *[EventData[Data and (Data="192.168.1.1")]] </Select> </Query> </QueryList> Returns zero results. Attempted wildcard use: *[EventData[Data and (Data="192.168.1.1*")]] - Returns zero results. *[EventData[Data and (Data="192.168.1.1:*")]] - Returns zero results. *[EventData[Data and (Data='192.168.1.1*')]] - Returns zero results. *[EventData[Data and (Data='192.168.1.1:*')]] - Returns zero results. ================ <QueryList> <Query Id="0" Path="Directory Service"> <Select Path="Directory Service">*[System[(EventID=2889)]] and *[EventData[Data[1]='192.168.1.1')]]</Select></Select> </Query> </QueryList> Returns zero results. Attempted wildcard use: *[EventData[Data[1]="192.168.1.1*")]] - Returns zero results. *[EventData[Data[1]="192.168.1.1:*")]] - Returns zero results. *[EventData[Data[1]='192.168.1.1*')]] - Returns zero results. *[EventData[Data[1]='192.168.1.1:*')]] - Returns zero results. ================ <QueryList> <Query Id="0" Path="ForwardedEvents"> <Select Path="ForwardedEvents">*[System[(EventID=2889)]] and *[EventData[contains(Data[1]='192.168.1.1')]</Select> </Query> </QueryList> Returns "The specified query is invalid". I would like to filter the events based solely on the IP address of the client (192.168.1.1) regardless of the port number and regardless of the user. The client IP address can have many different ports and users, thus the IP address is key to calculating the amount and frequency of clear text binds. I have viewed the following TechNet links but they did not provide any information. 1) http://social.technet.microsoft.com/Forums/en-US/itprovistaapps/thread/9257749e-cee8-4bd9-8994-dcae7e8bea6e/ My conclusion is that XPath wildcards cannot be used in this specific application, is that correct? Any help would be greatly appreciated. Jasen

August 23rd, 2011 8:12pm

Hi Jasen, Your thread is moved to Windows Server forum, however it seems that it is better to post to Script forum instead as the question is codec related. Here is the website: http://social.technet.microsoft.com/Forums/en/ITCG/threadsTechNet Subscriber Support in forum |If you have any feedback on our support, please contact tnmff@microsoft.com.

Free Windows Admin Tool Kit Click here and download it now

August 29th, 2011 3:07am

This topic is archived. No further replies will be accepted.