I'm trying to create an event filter based on the following event XML (an example), but I seemed to be missing something:
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<Events><Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
<System>
<Provider Name='acvpnui'/>
<EventID Qualifiers='25600'>3021</EventID>
<Level>4</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime='2016-04-08T22:01:57.000000000Z'/>
<EventRecordID>35164</EventRecordID>
<Channel>Cisco AnyConnect Secure Mobility Client</Channel>
<Computer>MyComputerName.domain.com</Computer>
<Security/>
</System>
<EventData>
<Data>Message type information sent to the user:
Connected to my.vpn.server.com.</Data>
</EventData>
</Event></Events>
And I'm using the following XML XPath filter, but I get nothing back with it:
<QueryList>
<Query Id="0" Path="Cisco AnyConnect Secure Mobility Client">
<Select Path="Cisco AnyConnect Secure Mobility Client">
Event
[System
[Provider
[@Name='acvpnui'] and (EventID=3021)
]
]
[EventData
[Data and (Data='Message type information sent to the user: Connected to my.vpn.server.com.')]
]
</Select>
</Query>
</QueryList>
I could take out and (Data='Message type information sent to the user: Connected to my.vpn.server.com.')]
, but then I get more than I want from the filter. How do I filter for that particular EventData?
to the user:
andConnected to my
? Also, could you share a valid export file as.evtx
format from your event viewer?'Message type information sent to the user:
Connected to my.vpn.server.com.'
.