Windows Event Log, can you xpath filter for string NOT equal?

Question

Is there a way to filter for events where a certain attribute is NOT the given string in Windows (Server 2016) Event Viewer's limited dialect of XPath?

I'm trying to get a view on logon events, but only actual user logons (console and RDP).

This is accepted as a filter, but gives too many results, as if the final AND term is ignored:

<QueryList> <Query Id="0" Path="Security"> <Select Path="Security">
    *[System[(EventID=4624)]]
and *[EventData[Data[@Name='LogonType'] and (Data=1 or Data=8 or Data=9)]]
and *[EventData[Data[@Name='TargetUserName'] and (Data!='SYSTEM')]]
</Select> </Query> </QueryList>

When I change the third test to this, it is flagged as "invalid query".

and not *[EventData[Data[@Name='TargetUserName'] and (Data='SYSTEM')]]

Yet I found an answer to another XPath question that suggests to prefer this form, because != gives the wrong result when one side of the comparison is a set instead of a value.

And the same for this, invalid query

and *[EventData[Data[@Name='TargetUserName'] and not (Data='SYSTEM')]]

or this

and *[EventData[Data[@Name='TargetUserName'] and !(Data='SYSTEM')]]

Answer 1

Your query should look like this:

<QueryList> 
    <Query Id="0" Path="Security">
        <Select Path="Security">
            *[System[(EventID=4624)]]
            and *[EventData[Data[@Name='LogonType'] and (Data=1 or Data=8 or Data=9)]]
        </Select>
        <Suppress Path="Security">
            *[EventData[Data[@Name='TargetUserName'] and (Data='SYSTEM')]]
        </Suppress>
    </Query>
</QueryList>

Suppress is the secret

Answer 2

You've been caught out by common but wrong examples. Your first DataEvent search asks for records that contain a "LogonType" element, and also has the value 1 or 8 or 10 in any element. It isn't confined to checking the "LogonType" element. This happens to work because only "LogonType" elements contain those values.

To match in any element you write

Data=1

To match in a specific element you need to write:

Data[@Name='SpecificType']=1

for each value, so that query should read:

*[EventData[ (Data[@Name='LogonType']=1 or Data[@Name='LogonType']=8 or Data[@Name='LogonType']=9)]]

The second EventData section is asking for any record that has a data value that doesn't match 'SYSTEM', which is why it returns all of them. It should be:

*[EventData[Data[@Name='TargetUserName']!='SYSTEM']]

You can combine the two

*[EventData[ (Data[@Name='LogonType']=1 or Data[@Name='LogonType']=8 or Data[@Name='LogonType']=9) and Data[@Name='TargetUserName']!='SYSTEM']]