Forum Discussion

A52's avatar
A52
Copper Contributor
Nov 18, 2024

DCR xPath - Nomenclature modification?

Hello,

I have a question regarding the custom (xPath) configuration when creating a DCR for Windows Security Events via AMA

Below is the xPath I was using until now to exclude the following EventIDs 4689, 5449 and 5145. It was working perfectly fine:

 

Raw xPath: Security!*[System[(EventID!=4689 and EventID!=5449 and EventID!=5145)]]

Today I wanted to modify it to exclude another EventID, but got an error mentionning that "the event log you have specified is not a valid xPath":

Raw xPath: Security!*[System[(EventID!=4689 and EventID!=5449 and EventID!=5145 and EventID!=4625)]]

 

I tried to remove the "Security" channel from the xPath as below:

*[System[(EventID!=4689 and EventID!=5449 and EventID!=5145 and EventID!=4625)]]

But this throws an error:

 

Did the xPath nomenclature update or is there a new way to exclude specific Event IDs that I missed? Is anyone facing the same issue?

Thanks in advance.

  • tapiidk's avatar
    tapiidk
    Copper Contributor

    same issue here, Custom Collection rule does not work, we have changed to minimal collection until problem is solved

  • iankb07's avatar
    iankb07
    Copper Contributor

    Put double quotes at the start and end of the path.

    "Security!*[System[(EventID!=4689 and EventID!=5449 and EventID!=5145)]]"

    • A52's avatar
      A52
      Copper Contributor

      Does it work on your side? When trying it with double quotes like you mentioned, no single logs are coming in, as if it was breaking the logic of the xPath.

  • MHenshaw's avatar
    MHenshaw
    Brass Contributor

    Hi All 

    I've been playing around with it and it looks like you have to use the xml format that shows up in the event viewer - 

    so instead of this Security!*[System[(EventID=4799)]] or this Security!*[System[(EventID=4799)]]

    use these instead

    "Security">*[System[((EventID=4799))]] or to exclude use this "Security">*[System[not((EventID=4799))]] 

    • A52's avatar
      A52
      Copper Contributor

      Hi, thanks a lot for your reply.

      I just tried the above but unfortunately, I am getting the following error: "Missing '!' between channel name and query expression":

      When trying to add a '!' character in the xPath query, the message "The event log you have specified is not a valid xPath." appears again.

  • maukka's avatar
    maukka
    Copper Contributor

    Yep, exactly the same here.
    Even if you copy a xPath expression from your existing (functioning) DCR and try to create a new one from it, you cannot do it anymore: "The event log you have specified is not a valid xPath."
    Either broken or some fatal change... Frustrating.

  • iankb07's avatar
    iankb07
    Copper Contributor

    I am getting exactly the same error.

    Application!*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0)]]

    "The event log you have specified is not a valid xPath."

     

Resources