How To Filter The Windows Event Log By IP Address

KB Home   |   How To Filter The Windows Event Log By IP Address

Sounds simple until you try ;)

There does not appear to be a way to filter the Windows Event Log by IP address using the Filter tab (the GUI options). Rather, you must use the XML tab and write your own query.

On the XML tab, first enable the option Edit query manually. The initial query will look something like this:

<QueryList>
  <Query Id="0" Path="file://C:\path\to\file.evtx">
    <Select Path="file://C:\path\to\file.evtx">*</Select>
  </Query>
</QueryList>

You will need to edit the content of the Select element. Replace the asterisk so that the query looks like the following:

<QueryList>
  <Query Id="0" Path="file://C:\path\to\file.evtx">
    <Select Path="file://C:\path\to\file.evtx">
      *[EventData[Data[@Name='IpAddress'] and(Data='127.0.0.1')]]
    </Select>
  </Query>
</QueryList>

Where 127.0.0.1 is the IP address to filter on. Hit OK and you’re done!


If you know the name of another property to filter on, you can use the following generic syntax:

  *[EventData[Data[@Name='PropertyName'] and(Data='PropertyValue')]]

Categories: Administration, Windows


Keywords: Windows logs, IP address in Windows logs

Comments

Share your findings and experience with other PaperCut users. Feel free to add comments and suggestions about this Knowledge Base article. Please don't use this for support requests.

Article last modified on August 07, 2013, at 07:39 PM
Printable View   |   Article History   |   Edit Article