Using custom XML to search Windows Event Viewer

So nobody likes going through Windows event viewer. The latest version in server 2008 takes ages to load and filtering isn't fun. So I thought I would go through a few ways to customise the XML used to search it.

So you'll probably start with the XML looking like this

<QueryList>
  <Query Id="0" Path="file://C:\path\to\file.evtx">
    <Select Path="file://C:\path\to\file.evtx">*</Select>
  </Query>
</QueryList>

You can edit the contents of the select element  to include something from the list below.

1. SubjectUserSid
2. SubjectUserName
3. SubjectDomainName
4. SubjectLogonId
5. TargetUserSid
6. TargetUserName
7. TargetDomainName
8. TargetLogonId
9. LogonType
10. LogonProcessName
11. AuthenticationPackageName
12. WorkstationName
13. LogonGuid
14. TransmittedServices
15. LmPackageName
16. KeyLength
17. ProcessId
18. ProcessName
19. IpAddress
20. IpPort

As an example - *[EventData[Data[@Name='YOUROPTION']and(Data='YOURVALUE')]
After the asterix in the above example you can change it to look like this

<QueryList>
  <Query Id="0" Path="file://C:\path\to\file.evtx">
    <Select Path="file://C:\path\to\file.evtx">
      *[EventData[Data[@Name='IpAddress'] and(Data='127.0.0.1')]]
    </Select>
  </Query>
</QueryList>

This will search all the logs for that specific IP Address.

You can even specify the Event ID

<QueryList>

  <Query Id="0" Path="file://C:\path\to\file.evtx">
    <Select Path="file://C:\path\to\file.evtx">      *[System[(EventID="4771")]] and *[EventData[Data and  (Data="username")]]

   </Select>

  </Query>

</QueryList>

The Above code will search for that specific event AND one that includes the name USERNAME.