locked
Filter Winserver 2008 Event Security Log by account name used or user ? How RRS feed

  • Question

  • Hello, I have created a custom view to filter the security log using the following

    <QueryList>
    <Query Id="0" Path="Security">
    <Select Path="Security">*[System[(Level=4 or Level=0 or Level=5) and (EventID=4648)]]</Select>
    </Query>
    </QueryList>

    My issue is this. I would like to be able to filter the list so that it displays the events for
    a particular user. I entered the user name in the form domain\user name and also
    just using the user name but the result of of the query is nothing. Nothing desplays for
    the event ID 4648.

    If I remove the user name from the query, the filter works ok. I verified there is indeed
    a valid security entry for the user in the log.

    Not sure what to do as the query seems to have a problem parsing the user name out of
    logs

    Thanks Paul

     

    Monday, March 14, 2011 7:06 PM

Answers

  • Hi Paul,

     

    We can specify the User Name by using the following steps:

     

    1.    Select Filter Current Log, switch to XML tab, change the content as follow:

     

    <QueryList>

      <Query Id="0" Path="Security">

        <Select Path="Security">* [EventData[Data[@Name='subjectUsername']='testuser']]</Select>

      </Query>

    </QueryList>

     

    Note: Change "testuser" to the user name you would like to query.

     

    2.    Click OK.

     

    Hope this helps.

     

    Regards,

    Bruce


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Bruce-Liu Tuesday, March 29, 2011 5:45 AM
    Wednesday, March 16, 2011 12:35 PM

All replies

  • Hi Paul,

     

    We can specify the User Name by using the following steps:

     

    1.    Select Filter Current Log, switch to XML tab, change the content as follow:

     

    <QueryList>

      <Query Id="0" Path="Security">

        <Select Path="Security">* [EventData[Data[@Name='subjectUsername']='testuser']]</Select>

      </Query>

    </QueryList>

     

    Note: Change "testuser" to the user name you would like to query.

     

    2.    Click OK.

     

    Hope this helps.

     

    Regards,

    Bruce


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Bruce-Liu Tuesday, March 29, 2011 5:45 AM
    Wednesday, March 16, 2011 12:35 PM
  • Hi,

     

    Have you tried the suggestions? If there is any update about this issue, please let us know.

     

    Have a nice day!


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, March 22, 2011 6:26 AM
  • Hi Bruce

      

    I came across your answer when faced with the same problem on Windows Small Business Server 2008. In my case I had to use TargetUserName rather than subjectUsername. I.e

     

    <QueryList>

      <Query Id="0" Path="Security">

        <Select Path="Security">* [EventData[Data[@Name='TargetUserName']='testuser']]</Select>

      </Query>

    </QueryList>

     

     

    The query then worked fine.

     

    Regards

     

    Nick

    Tuesday, May 31, 2011 5:15 PM
  • How can I add an additional condition, filter by eventid 4776?

    E.g.     <Select Path="Security">*[System[(EventID=4776)]]</Select>

    I cannot figure it out :(

    Tuesday, March 11, 2014 9:24 AM