Find a specific user events in Windows Security Logs

Event searching in windows security logs is too difficult, because of there are too many events in a short time.

To overcome this issue we must use “Filer Current Log” in the action menu. But options in the filter windows is not enough, if you want to filter security event logs by User . (User option in Filter Window is useless for our concern)

So what can we do?

We can use XML tab of “Filter current log” window:

 

 

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[
 EventData[Data[@Name='TargetUserName']='admtest']]</Select>
  </Query>
</QueryList>

If you want to find user events for a spesific event id (for example “Logons”), you can use code below;

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
     *[System[(EventID='4624')]
     and
     EventData[Data[@Name='TargetUserName']='admtest']
     ] 
    </Select>
  </Query>
</QueryList>

Source: https://serverfault.com/questions/571732/filtering-security-logs-by-user-and-logon-type

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.