event viewer - Not equal xPath query limitations -


i need find logs eventviewer in forwarded events based on computer name, excluding ones aren't interesting me.

my query that

*[(system[(computer!='comp1')]) ,  (system[(computer!='comp2')]) ,  (system[(computer!='comp3')]) ,  (system[(computer!='comp4')]) ,  (system[(computer!='comp5')]) ,  (system[(computer!='comp6')]) ,  (system[(computer!='comp7')]) ,  (system[(computer!='comp8')]) ,  (system[(computer!='comp9')]) ,  (system[(computer!='comp10')]) ,  (system[(computer!='comp11')]) ,  (system[(computer!='comp12')]) ,  (system[(computer!='comp13')]) ,  (system[(computer!='comp14')]) ,  (system[(computer!='comp15')])]

this query works fine unless add 1 more condition

and [(computer!='comp16')])

after filter stops working , logs displayed. notice if put comp16 instead of comp15 or instead of comp12 works fine. problem not in new condition.

the situation opposite if use equality filter 

(system[(computer='comp1')]) or  (system[(computer='comp2')]) or ... (system[(computer='comp15')]) or  (system[(computer='comp16')]) , on

filter works fine larger queries.

so why not equal operator not work in large queries?

edit

filter eventrecordid has same problem

edit 2

<event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">  <system>   <provider name="microsoft-windows-security-auditing" guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />    <eventid>4624</eventid>    <version>1</version>    <level>0</level>    <task>12544</task>    <opcode>0</opcode>    <timecreated systemtime="2017-08-18t17:06:15.595105400z" />    <eventrecordid>1</eventrecordid>    <correlation />    <execution processid="584" threadid="7100" />    <channel>security</channel>    <computer>comp1</computer>    <security />   </system> <eventdata>   <data name="targetusername">username</data>    <data name="targetdomainname">domain</data>    ...   <data name="processname">-</data>    <data name="ipaddress">-</data>    <data name="ipport">-</data>   </eventdata> </event>

you haven't shown xml, it's hard envisage xml structure on query makes sense.

consider simpler

*[(system[(computer!='comp1')]) ,    (system[(computer!='comp2')])]

if there 1 system 1 computer, returns true if computer neither 'comp1' nor 'comp2'. if there more 1 system, or more 1 computer, , if computers not same value, there inevitably @ least 1 computer not 'comp1', , @ least 1 not 'comp2', , predicate therefore true.

usually when people write a!=b in xpath, should have written not(a=b).


Comments

Post a Comment

Popular posts from this blog

Is there a better way to structure post methods in Class Based Views -

i'm using class based views in django , never specify url in ajax calls , omit action parameter in form because know these requests go through post method of class based view. notice view - profile page make many requests depending on user updating on page - post method become convoluted , if/else mess example: def post(self, request, *args, **kwargs): # handle user changing available date if request.post.get('availabledate') != none: self.updateavailabledate(request) return jsonresponse({'result':'success'}) if request.post.get('newprojectname') != none: creative_user = creativeuserprofile.objects.get(id = request.user.id) project = project.create_project(creative_user, request.post['newprojectname']) project.save() return jsonresponse({'projectid': project.id }) if request.post.get('projectimage') != none , request.files['file']: proj...
Read more

performance - Why is XCHG reg, reg a 3 micro-op instruction on modern Intel architectures? -

i'm doing micro-optimization on performance critical part of code , came across sequence of instructions (in at&t syntax): add %rax, %rbx mov %rdx, %rax mov %rbx, %rdx i thought had use case xchg allow me shave instruction , write: add %rbx, %rax xchg %rax, %rdx however, dimay found agner fog's instruction tables , xchg 3 micro-op instruction 2 cycle latency on sandy bridge, ivy bridge, broadwell, haswell , skylake. 3 whole micro-ops , 2 cycles of latency! 3 micro-ops throws off 4-1-1-1 cadence , 2 cycle latency makes worse original in best case since last 2 instructions in original might execute in parallel. now... cpu might breaking instruction micro-ops equivalent to: mov %rax, %tmp mov %rdx, %rax mov %tmp, %rdx where tmp anonymous internal register , suppose last 2 micro-ops run in parallel latency 2 cycles. given register renaming occurs on these micro-architectures, though, doesn't make sense me done way. why wouldn't register renamer ...
Read more

c# - Asp.net web api : redirect unauthorized requst to forbidden page -

im trying redirect unauthorized request forbidden page instead i'm getting forbidden page in response body , how can fix ? here's startup class : app.createperowincontext(storecontext.create); app.createperowincontext<applicationusermanager>(applicationusermanager.create); app.createperowincontext<applicationsigninmanager>(applicationsigninmanager.create); app.usecookieauthentication(new cookieauthenticationoptions { authenticationtype = defaultauthenticationtypes.applicationcookie, expiretimespan = timespan.fromdays(30), }); app.useexternalsignincookie(defaultauthenticationtypes.externalcookie); app.usetwofactorsignincookie(defaultauthenticationtypes.twofactorcookie, timespan.fromminutes(5)); app.usetwofactorrememberbrowsercookie(defaultauthenticationtypes.twofactorrememberbrowsercookie); the method im trying reach : [httpget] [authorize(roles = "admin")] public string getcurrentusername() { return userman...
Read more