转发Windows 2003事件日志的XML过滤器 [英] XML filter for forwarded Windows 2003 event logs
问题描述
我正在尝试在Windows 2008计算机上创建XML过滤器,以过滤来自Windows 2003服务器的转发安全日志。特别是我只想看到包含WRITE_DAC属性的安全事件日志,以确定文件或文件夹权限
何时发生变化。
根据下面的XML,我相信我想创建一个过滤器来查找%% 1539数据值。
在不了解这个机制的情况下,它在我看来,你在QueryList中的xpath有问题。
你不使用函数"contains"以适当的方式,并且因为你在xml中有默认命名空间,你需要使用不同的语法,如下例所示 -
* [local-name()='Event'] / * [local-name()='EventData'] [* [local-name()='Data'] [contains(。,'%% 1539')]]
在您的示例中,您选择了EventData节点,因此我的xpath查询也会选择它。
祝你好运
I'm trying to create an XML filter on a Windows 2008 machine to filter forwarded security logs from a Windows 2003 server. In particular I only want to see the security event logs that contain the WRITE_DAC attribute to determine when a file or folder permission has changed.
Based on the XML below I believe that I want to create a filter to look for the %%1539 data value.
Without knowing too much on this mechanism, it seems to me you have a problem with the xpath inside the QueryList.
You dont use the function "contains" in the appropriate way, and since you have default namespace in the xml you need to use a different syntax like the following for example -
*[local-name()='Event']/*[local-name()='EventData'][*[local-name()='Data'][contains(.,'%%1539')]]
In your example you selected the EventData node, so my xpath query selects it as well.
Good luck
这篇关于转发Windows 2003事件日志的XML过滤器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!