Event log forwarding - Suppress system account made changes

E

Edd B

I've setup an Event log forwarding subscription to monitor for EventIDs 4732 and 4733 (member being added and member being removed from a security-enabled local group). Is there a XP Path Query Filter I can use to Suppress the add and removes made by Security ID S-1-5-18 (SYSTEM)? I want to only capture events initiated by actual user accounts. I've started with this:

<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[EventData[Data[@Name='TargetUserName'] and (Data='Administrators')]]
and
*[System[(EventID='4732') or (EventID='4733')]]
</Select>
<Suppress Path="Security">*[EventData[Data[XXXXXX ='XXXXXXXX'] and (Data ='XXXXXXXX')]]</Suppress>
</Query>
</QueryList>


Will this work? If so, I don't know what I'd put for the XXXXXXXX's

Continue reading...
 
Back
Top Bottom