- Click “Filter Current Log” on Actions menu.
- Click “XML” tab
- Select “Edit Query manually“
- Paste one of below query and replace “User/Description” with relevant User Name/Description.
<QueryList>
<Query Id=”0″ Path=”Security”>
<Select Path=”Security”>* [EventData[Data[@Name=’subjectUsername’]=’AccountName‘]]</Select>
</Query>
</QueryList>………………………………………………………………………………….
<QueryList>
<Query Id=”0″>
<Select Path=”Security”>
*[EventData[Data[@Name=’SubjectUserName’] and (Data=’description‘)]]
</Select>
</Query>
</QueryList> - Click OK
- To clear the filter click “Clear Filter“
More customized Queries..
http://blogs.technet.com/b/askds/archive/2011/09/26/advanced-xml-filtering-in-the-windows-event-viewer.aspx
Leave a Reply