Windows事件查看器 - > XML - >自定义视图

时间:2016-08-17 18:10:25

标签: xml windows-server-2012 event-viewer

我有以下查询 - 我希望它只报告user1& user2基于ObjectName或RelativeTargetName

但它会根据objectName或RelativeTargetName

报告所有用户

我该如何控制它?

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
   *[EventData[Data[@Name='SubjectUserName'] and (Data='user1'  or Data='user2')]]
   and
   *[EventData[Data[@Name='ObjectName'] and (Data='E:\Path\To\Folder')]]
   or
   *[EventData[Data[@Name='RelativeTargetName'] and (Data='Path\To\Folder')]]
  </Select>
  </Query>
</QueryList>

1 个答案:

答案 0 :(得分:1)

这有效

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
   *[EventData[Data[@Name='ObjectName'] and (Data='E:\Path\To\Folder')]] and *[EventData[Data[@Name='SubjectUserName'] and (Data='user1'  or Data='user2')]]
   or
   *[EventData[Data[@Name='RelativeTargetName'] and (Data='Path\To\Folder')]] and *[EventData[Data[@Name='SubjectUserName'] and (Data='user1' or Data='user2')]]
  </Select>
  </Query>
</QueryList>
相关问题
最新问题