Active Directory
Windows Servery
Infrastruktura
Postranní lišta
Windows Eventlog, XML filtry
Najdi eventy s uživatelem 'username'
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[EventData[Data[@Name='TargetUserName']='t102903']]
</Select>
</Query>
</QueryList>
Najdi eventy s interaktivním přihlášením
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[EventData[Data[@Name='LogonType']='10']]
</Select>
</Query>
</QueryList>
Najdi eventy s přihlášením uživatele username
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[EventData[Data[@Name='TargetUserName']='t102903']
and
System[(EventID='4624')]]
</Select>
</Query>
</QueryList>
Najdi eventy 4624 (logon) a interaktivní přihlášení
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[EventData[Data[@Name='LogonType']='10']
and
System[(EventID='4624')]]
</Select>
</Query>
</QueryList>
Najdi eventy 4663 z logu Security a eventy 1704 z logu Application
<QueryList>
<Query Id="0">
<Select Path="Security">*[System[(EventID=’4663′)]]</Select>
<Select Path="Application">*[System[(EventID=’1704′)]]</Select>
</Query>
</QueryList>
A Kerberos service ticket was requested.
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[EventData[Data[@Name='TargetUserName']='user@UPN']
and
System[(EventID='4769')]]
</Select>
</Query>
</QueryList>
eventlog_xml.txt · Poslední úprava: 2021/08/28 03:57 autor: Jiří Schuster