How To Filter The Windows Event Log By IP Address

Sounds simple until you try ;)

There does not appear to be a way to filter the Windows Event Log by IP address using the Filter tab (the GUI options). Rather, you must use the XML tab and write your own query.

On the XML tab, first enable the option Edit query manually. The initial query will look something like this:

<QueryList>
  <Query Id="0" Path="file://C:\path\to\file.evtx">
    <Select Path="file://C:\path\to\file.evtx">*</Select>
  </Query>
</QueryList>

You will need to edit the content of the Select element. Replace the asterisk so that the query looks like the following:

<QueryList>
  <Query Id="0" Path="file://C:\path\to\file.evtx">
    <Select Path="file://C:\path\to\file.evtx">
      *[EventData[Data[@Name='IpAddress'] and(Data='127.0.0.1')]]
    </Select>
  </Query>
</QueryList>

Where 127.0.0.1 is the IP address to filter on. Hit OK and you’re done!

If you know the name of another property to filter on, you can use the following generic syntax:

*[EventData[Data[@Name='PropertyName'] and(Data='PropertyValue')]]