event viewer - Not equal xPath query limitations -
i need find logs eventviewer in forwarded events based on computer name, excluding ones aren't interesting me.
my query that
*[(system[(computer!='comp1')]) , (system[(computer!='comp2')]) , (system[(computer!='comp3')]) , (system[(computer!='comp4')]) , (system[(computer!='comp5')]) , (system[(computer!='comp6')]) , (system[(computer!='comp7')]) , (system[(computer!='comp8')]) , (system[(computer!='comp9')]) , (system[(computer!='comp10')]) , (system[(computer!='comp11')]) , (system[(computer!='comp12')]) , (system[(computer!='comp13')]) , (system[(computer!='comp14')]) , (system[(computer!='comp15')])] this query works fine unless add 1 more condition
and [(computer!='comp16')]) after filter stops working , logs displayed. notice if put comp16 instead of comp15 or instead of comp12 works fine. problem not in new condition.
the situation opposite if use equality filter
(system[(computer='comp1')]) or (system[(computer='comp2')]) or ... (system[(computer='comp15')]) or (system[(computer='comp16')]) , on filter works fine larger queries.
so why not equal operator not work in large queries?
edit
filter eventrecordid has same problem
edit 2
<event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <system> <provider name="microsoft-windows-security-auditing" guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" /> <eventid>4624</eventid> <version>1</version> <level>0</level> <task>12544</task> <opcode>0</opcode> <timecreated systemtime="2017-08-18t17:06:15.595105400z" /> <eventrecordid>1</eventrecordid> <correlation /> <execution processid="584" threadid="7100" /> <channel>security</channel> <computer>comp1</computer> <security /> </system> <eventdata> <data name="targetusername">username</data> <data name="targetdomainname">domain</data> ... <data name="processname">-</data> <data name="ipaddress">-</data> <data name="ipport">-</data> </eventdata> </event>
you haven't shown xml, it's hard envisage xml structure on query makes sense.
consider simpler
*[(system[(computer!='comp1')]) , (system[(computer!='comp2')])] if there 1 system 1 computer, returns true if computer neither 'comp1' nor 'comp2'. if there more 1 system, or more 1 computer, , if computers not same value, there inevitably @ least 1 computer not 'comp1', , @ least 1 not 'comp2', , predicate therefore true.
usually when people write a!=b in xpath, should have written not(a=b).
Comments
Post a Comment