I'm trying to create an event filter based on the following event XML (an example), but I seemed to be missing something:

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<Events><Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
        <Provider Name='acvpnui'/>
        <EventID Qualifiers='25600'>3021</EventID>
        <TimeCreated SystemTime='2016-04-08T22:01:57.000000000Z'/>
        <Channel>Cisco AnyConnect Secure Mobility Client</Channel>
        <Data>Message type information sent to the user:
Connected to my.vpn.server.com.</Data>

And I'm using the following XML XPath filter, but I get nothing back with it:

  <Query Id="0" Path="Cisco AnyConnect Secure Mobility Client">
    <Select Path="Cisco AnyConnect Secure Mobility Client">
            [@Name='acvpnui'] and (EventID=3021)
        [Data and (Data='Message type information sent to the user: Connected to my.vpn.server.com.')]

I could take out and (Data='Message type information sent to the user: Connected to my.vpn.server.com.')], but then I get more than I want from the filter. How do I filter for that particular EventData?

  • Is there a line break between the text to the user: and Connected to my? Also, could you share a valid export file as .evtx format from your event viewer?
    – nixda
    Commented Apr 11, 2016 at 14:18
  • Oh, yeah, there is, so I just changed the string to 'Message type information sent to the user:&#xA;Connected to my.vpn.server.com.'. Commented Apr 11, 2016 at 14:48


You must log in to answer this question.

Browse other questions tagged .