Filtering Security Logs by User and Logon Type

Solution 1:

You're on the right track - one of the mistakes in your query is the space in 'Logon Type', it should just be 'LogonType'.

I pasted a query below that I have just verified works. It's a bit simplified but you get the idea. It shows you all 4624 events with logon type 2, from user 'john.doe'.

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
      *[
        EventData[Data[@Name='LogonType']='2']
        and
        EventData[Data[@Name='TargetUserName']='john.doe']
        and
        System[(EventID='4624')]
      ] 
    </Select>
  </Query>
</QueryList>

You can find out more about XML queries in the event viewer here: http://blogs.technet.com/b/askds/archive/2011/09/26/advanced-xml-filtering-in-the-windows-event-viewer.aspx.

You can query events from the command line with wevtutil.exe: http://technet.microsoft.com/en-us/magazine/dd310329.aspx.

Solution 2:

I found this question and had to do a bit of work to parse together content, from the accepted answer and question updates, to get a functional solution. I figured I'd post a complete, working query syntax here for future reference:

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
    *[System[(EventID=4624)
    and
    TimeCreated[timediff(@SystemTime) &lt;= 2592000000]]
    and
    EventData[Data[@Name='TargetUserName'] and (Data='john.doe')]
    and
    EventData[Data[@Name='LogonType'] and (Data='10')]]
    </Select>
  </Query>
</QueryList>

The above query should work to narrow down the events according to the following parameters:

• Events in the Security log.
• With Event ID 6424
• Occurring within the past 30 days.
• Associated with user john.doe.
• With LogonType 10.

You can change the LogonTypes in the filter by altering (Data='10') in the above code. For example, you might want to do (Data='2') or (Data='10' or Data='2').