IBM Support

QRadar WinCollect: How to use Microsoft Event Viewer to create an XPath Query

Troubleshooting


Problem

The Microsoft® Event Viewer can be used to create an XPath query.  An XPath query allows administrators to explicitly include or exclude specific events. An XPath query can also be used for instances where you have applications that require custom logging of events.

Resolving The Problem

Using XPath queries can provide a method to create customized logging of events. Using a Log Source configuration similar to the one in the example requires that each monitored Event Log type uses one query. An XPath uses one query for all of the logs being sent from the Microsoft host.
 
image 8430
Example: Three queries are being used to send logs for these log types.
Includes in the Custom View drop-down Applications that have logs are displayed that can be selected. In our example, we are adding Microsoft Office Alerts and Symantec Endpoint Protection Client.
Important: When administrators use an XPath query, Windows Event Logs that you use to receive now need to be configured in the XPath query such as Application, Security, or System logs. XPath does not currently support Forwarding Events.


Procedure to use Microsoft Event Viewer to create an XPath query.

  1. Log in to your host, where you have your WinCollect Agent installed.
  2. Open Event Viewer by clicking Start > Run > type the command eventvwr.msc.
  3. Click OK.
  4. If you are prompted, type the Administrator password and press Enter.
  5. Click Action > Create Custom View.
    Note: Do not use a time range from the Logged list. WinCollect® does not support it.
  6. Click checkboxes for the Event Level requiring logging.
  7. From the Event Logs drop-down menu, expand Windows logs and Application and Services logs.
  8. Check the boxes that you would use for Microsoft Windows Event Logs.
    Note: XPath replaces standard log types. For more information, refer to QRadar: XPath Query Troubleshooting
  9. Click the boxes for applications that you would like to log events.
  10. Click OK.
  11. Click the XML tab.
  12. Cut and paste the XML code to an editor such as Notepad.
    Note: Applications such as Word® can leave the end of line characters that cause errors.

     
  13. XPath queries only support a maximum of 10 logs. To confirm that you are not using more than 10 logs, click OK after saving the XML output to notepad or other text editors.
  14. If you see a similar message, you have more than 10 logs. Click NO and repeat steps #6 through 12, un-select logs to resolve the Event Viewer 10 log message.

  15. It is not required to save the custom view. Click Cancel.
  16. Paste the XML output from step 12 in the XPath query text box on either Managed WinCollect or
    Stand-Alone WinCollect.

  17. Create a parsing enhancement that uses the DSM Editor or by creating as Log Source Extension. Refer to the article, Creating a log source extension to get data into QRadar®.
  18. Map all the Unknown events to QID.

Results
The XPath Query is performing custom logging.



Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtwAAA","label":"WinCollect"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.3.3;7.4.0;7.4.1;7.4.2"}]

Document Information

Modified date:
23 March 2021

UID

ibm16416015

Page Feedback