Security Log – Specific User logon
To filter logon and log off of specific user. Event will be available on target client machine.
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[
System[(EventID=4634 or EventID=4624)] and
EventData[
Data[@Name='LogonType']='10' or
Data[@Name='LogonType']='2'
] and
EventData[Data[@Name='TargetUserName']='some-user-name']
]
</Select>
</Query>
</QueryList>Explanation
| EventID | Description |
| 4624 | Logon |
| 4634 | Logoff |
| LogonType | Description |
| 2 | Console |
| 10 | Remote Desktop |
Security Log – Account Locked Out
To filter account lock out “source”. Event will be available in Domain Controllers.
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[
System[(EventID=4740)] and
EventData[Data[@Name='TargetUserName']='some-user-name']
]
</Select>
</Query>
</QueryList>Double click to see the details of the event. The “source computer” information will be available in Additional Information > Caller Computer Name field.