I need to filter and say for example PackageFullName should start with '6', how filter using some pattern?
string query = "*[System/EventID=400 ] and *[System/Opcode=2] and *[EventData[Data[@Name='PackageFullName'] LIKE '6%']]";
As explained in the comments, the Event Log service on Windows does not support the full XPath grammar - and it certainly doesn't support substring-matching functions like contains()/starts-with()/ends-with().
Instead, you'll need to fetch all the events and then filter them by inspecting the data value in your own code.
To extract the individual <Data /> nodes' values from the event data section, use the GetPropertyValues() method with an appropriate EventLogPropertySelector to grab the string value, then manually inspect it:
string logName = "Microsoft-Windows-TerminalServices-Gateway";
string queryText = "*[System/EventID=400 ] and *[System/Opcode=2] and *[EventData[Data[@Name='PackageFullName']]]";
// This is the query definition the reader will use to pre-filter event records
var query = new EventLogQuery(logName, PathType.LogName, queryText);
// This is a property selector that we'll be using to extract the event data afterwards
var packageNameSelector = new EventLogPropertySelector(new []{ "Event/EventData/Data[@Name='PackageFullName']" });
using (var reader = new EventLogReader(query))
{
// Keep reading...
EventLogRecord record;
while((record = reader.ReadEvent() as EventLogRecord) is not null)
{
// Fetch the package name and inspect before moving ahead
var propertyValues = record.GetPropertyValues(packageNameSelector);
if(propertyValues.Count > 0 && propertyValues[0] is string pkgName && pkgName.StartsWith("6"))
{
// matching event, do what you need here
}
}
}