Home  ›  Microsoft Windows Server  ›  Windows Event Logs – Filter events by users involved

Windows Event Logs – Filter events by users involved

Print Friendly, PDF & Email

Created – July 6th, 2018 by Ian Thieves

Using the default custom view setup to search for users does not find users in fields named something other than account name.

To find users in other fields of other events, you must use XPath Queries.

When creating the custom view, go to the XML tab and select “edit query manually”

<QueryList>
<Query Id=”0″ Path=”Security”>
<Select Path=”Security”>* [EventData[Data[@Name=’TargetUserName’]=’USERNAME HERE’]]</Select>
</Query>
</QueryList>