Windows/EventViewer

Aus SchnallIchNet
Wechseln zu: Navigation, Suche

Filter Event-Log

Filter by username

Get all Logon (4624) and Logoff (4634) Events from Security Eventlog

  1. Filter Current Log
  2. Switch to XML Tab
  3. Tick: 'Edit query manually' checkbox
  4. add the following to the <Select></Select> Tag: and EventData[Data[@Name='TargetUserName']='USERNAME']
<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[(EventID=4624 or EventID=4634)] and EventData[Data[@Name='TargetUserName']='USERNAME']]</Select>
  </Query>
</QueryList>
Von „https://schnallich.net/index.php?title=Windows/EventViewer&oldid=1577