We have daily log files of Windows server that are zipped every week. The events are in XML format. I need to run a query on these log files and extract a particular date from each event that gets a hit. I'm able to find every file that contains a particular string, but that isn't what I'm looking for. Take the event below for which there are two problems: 1) I need to find EventID == 5061 && SID == S-1-12-1-1032717433-1282942920-404204970-2072513611 in one event. This is problematic because I don't know how to distinguish different events; however, all new events start with "Event xmlns". I've tried to figure out an approach to search text between two "Event xmlns" strings, but I've not had any luck. 2) The query needs to return the SystemTime, which in this case is "2019-10-18T18:59:34.538976500Z". I'm sure this is possible, but I've not made headway. Does anyone have an idea of what I might try? Thanks
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>5061</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12290</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2019-10-18T18:59:34.538976500Z" />
<EventRecordID>104445</EventRecordID>
<Correlation ActivityID="{59bc01e2-7eac-0006-f601-bc59ac7ed501}" />
<Execution ProcessID="1028" ThreadID="1076" />
<Channel>Security</Channel>
<Computer>TCPC053</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-12-1-1032717433-1282942920-102204870-2042613611</Data>
<Data Name="SubjectUserName">SomeDude</Data>
<Data Name="SubjectDomainName">TESTAD</Data>
<Data Name="SubjectLogonId">0xeafec</Data>
<Data Name="ProviderName">Microsoft Software Key Storage Provider</Data>
<Data Name="AlgorithmName">RSA</Data>
<Data Name="KeyName">TB_0_test.com</Data>
<Data Name="KeyType">%%2500</Data>
<Data Name="Operation">%%2480</Data>
<Data Name="ReturnCode">0x0</Data>
</EventData>
</Event>
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>5061</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12290</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2019-10-18T18:59:34.538976500Z" />
<EventRecordID>104445</EventRecordID>
<Correlation ActivityID="{59bc01e2-7eac-0006-f601-bc59ac7ed501}" />
<Execution ProcessID="1028" ThreadID="1076" />
<Channel>Security</Channel>
<Computer>TCPC053</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-12-1-1032717433-1282942920-102204870-2042613611</Data>
<Data Name="SubjectUserName">SomeDude</Data>
<Data Name="SubjectDomainName">TESTAD</Data>
<Data Name="SubjectLogonId">0xeafec</Data>
<Data Name="ProviderName">Microsoft Software Key Storage Provider</Data>
<Data Name="AlgorithmName">RSA</Data>
<Data Name="KeyName">TB_0_test.com</Data>
<Data Name="KeyType">%%2500</Data>
<Data Name="Operation">%%2480</Data>
<Data Name="ReturnCode">0x0</Data>
</EventData>
</Event>
