Find a specific user events in Windows Security Logs

Event searching in windows security logs is too difficult, because of there are too many events in a short time.

To overcome this issue we must use “Filer Current Log” in the action menu. But options in the filter windows is not enough, if you want to filter security event logs by User . (User option in Filter Window is useless for our concern)

So what can we do?

We can use XML tab of “Filter current log” window:

 

 

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[
 EventData[Data[@Name='TargetUserName']='admtest']]</Select>
  </Query>
</QueryList>

If you want to find user events for a spesific event id (for example “Logons”), you can use code below;

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
     *[System[(EventID='4624')]
     and
     EventData[Data[@Name='TargetUserName']='admtest']
     ] 
    </Select>
  </Query>
</QueryList>

Source: https://serverfault.com/questions/571732/filtering-security-logs-by-user-and-logon-type

 


Disable trim, ,if quick format takes long time

If your storage and OS support trim, quick format can takes long time.

Furtermore, you can disable trim before format and activate it later.

For Windows:

Disable trim command:

fsutil behavior set disabledeletenotify 1

To enable again:

fsutil behavior set disabledeletenotify 0

Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-behavior

For Linux:

If you try format it with XFS, you can use -K option with mkfs.xfs, for example:

mkfs.xfs -f -K -L disk_label /dev/mapper/mpatha1