Forum Discussion
A simple Custom XPath Data Source Collection is not working
Can someone please help me with the following I read the following document https://docs.microsoft.com/en-us/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent I am following...
Could you post your fix? I'm having the same issue.
Ron Howe I ended up getting this working. This only seems to work on Windows Security Events via AMA connector not the Windows Forwarded Events (Preview) connector.
When specifying the XPATH for a custom location:
CustomLog/CustomChannel!*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5)]] and so on. Seems the supported method is to use the short hand.
- Thanks for your reply.
I was originally trying this, which wasn't working now but I swear worked once upon a time.
*[System[(EventID=33205)]]
I am now trying this, which is working:
Security!*[System[(EventID=33205)]]
Qualifying the log/channel name (for me, Security, for you CustomLog/CustomChannel) seems to be the key.
I think Microsoft Docs docs chanced recently to reflect this? Not sure.
In any case, current docs seem to be good/helpful.
https://docs.microsoft.com/en-us/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent?tabs=portal#filter-events-using-xpath-queries
Examples of filtering events using a custom XPath:
Description XPath
Collect only System events with Event ID = 4648 System!*[System[EventID=4648]]