IT BS Help

Windows Event Logs – Filter For User Logon And Logoff

in Servers

From the Actions menu on the right select “Filter Current Log”

– Select the XML Tab and tick the “Edit query manually”

 

The script below will list all list all local and remote (i.e. via RDP) logins made by the administrator in the “DOMAIN” domain for the last 30 days

To use just replace “DOMAIN” with your domain and replace “administrator” with the username of the person you want to check.

 

<QueryList>
<Query Id=”0″ Path=”Security”>
<Select Path=”Security”>
*[System[(EventID=4624 or EventID=4634)
and
TimeCreated[timediff(@SystemTime) &lt;= 2592000000]]
and
EventData[Data[@Name=’TargetDomainName’] and (Data=’DOMAIN’)]
and
EventData[Data[@Name=’LogonType’] and (Data=’10’ or Data=’2′)]
and
EventData[Data[@Name=’TargetUserName’] and (Data=’administrator’)]]
</Select>
</Query>
</QueryList>

 

 

NOTES:

EventID 4624 = Logon

EventID 4634 = Logoff

LogonType 2 = Local Login

LogonType 10 = Remote Login e.g. RDP

2592000000 is the number of milliseconds in 30 days

0