Monday, November 14, 2011

Server 2008 Event Log Filter by XML for a Username

Issue: Customer presented us with a Server running 2008 and wanted to filter the logs for events associated to a user.  When you use the same method as Server 2003 you get no results.

Solution: We had to migrate to use the XML Filtering.
  1. within the Security Event Log, click "Filter Current Log..." on the right
  2. Click the XML tab at the top
  3. Click (X) Edit query manually
  4. Replace the select line:     <Select Path="Security">*</Select>
  5. With this line (where %username% is the account you want):    <Select Path="Security">* [EventData[Data[@Name='TargetUserName']='%username%']]</Select>