XML can be edited in Event Log queries to apply filters and narrow down the relevant entries. Below are examples of custom Event Log queries
Example 1
<Select
Path="System">*[System[(EventID=7036)]]and*[EventData[Data and
(Data='The Optimize drives service entered the stopped state.')]]
Example 2 ! means not
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4634)]]
and
*[EventData[Data[@Name='TargetUserName'] !='ServiceAccountName1'
and
Data[@Name='TargetUserName'] !='ServiceAccountName2'
and
Data[@Name='TargetUserName'] !='MACHINENAME$'
and
Data[@Name='TargetUserName'] !='ServiceAccountName3'
and
Data[@Name='TargetUserName'] !='SYSTEM'
and
Data[@Name='TargetUserName'] !='UserName'
]]
