Filtering Security Logs by User and Logon Type
You're on the right track - one of the mistakes in your query is the space in 'Logon Type', it should just be 'LogonType'.
I pasted a query below that I have just verified works. It's a bit simplified but you get the idea. It shows you all 4624 events with logon type 2, from user 'john.doe'.
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[
EventData[Data[@Name='LogonType']='2']
and
EventData[Data[@Name='TargetUserName']='john.doe']
and
System[(EventID='4624')]
]
</Select>
</Query>
</QueryList>
You can find out more about XML queries in the event viewer here: http://blogs.technet.com/b/askds/archive/2011/09/26/advanced-xml-filtering-in-the-windows-event-viewer.aspx.
You can query events from the command line with wevtutil.exe: http://technet.microsoft.com/en-us/magazine/dd310329.aspx.
I found this question and had to do a bit of work to parse together content, from the accepted answer and question updates, to get a functional solution. I figured I'd post a complete, working query syntax here for future reference:
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[System[(EventID=4624)
and
TimeCreated[timediff(@SystemTime) <= 2592000000]]
and
EventData[Data[@Name='TargetUserName'] and (Data='john.doe')]
and
EventData[Data[@Name='LogonType'] and (Data='10')]]
</Select>
</Query>
</QueryList>
The above query should work to narrow down the events according to the following parameters:
- Events in the Security log.
- With Event ID 6424
- Occurring within the past 30 days.
- Associated with user john.doe.
- With LogonType 10.
You can change the LogonTypes in the filter by altering (Data='10')
in the above code. For example, you might want to do (Data='2')
or (Data='10' or Data='2')
.