I would like to use the advanced xml filtering feature in the windows event viewer. We received 'ReadAttributes' Events (4663) and 'SYNCHRONIZE|ReadAttribute' Events (4656) when we open the document. This happen every second for every file to check the files for new input and can't be adjusted.
To reduce the log amount in a 2nd application I need the XML from the event viewer to filter these events.
In the second application we can see in the raw event that the Windows namefield is AccessList for both, the 4663 and the 4656 events.
I tried this, but it leads to zero events:
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[System[(EventID='4663')]]
and
*[EventData[Data[@Name='AccessList'] and (text='ReadAttributes')]]
</Select>
</Query>
</QueryList>
Could you help me find my mistake and tell me how to combine with the 4656 events.