Mundy

IT Knowledge Base

User Tools

Site Tools


Sidebar

Contact me at dan@mundy.co for any feedback or suggestions.


My other sites:

Search all my sites:

event_log_filters

Event Log Filters

Unless specified otherwise, these are simply the event IDs to include.

System

  • Reboot History: System, 41,1074,1076,6008
  • Sleep history: [Event sources = Kernel-Power, Power-Troubleshooting] and [Event IDS = 1,42]




Remote Logins

All Remote Logins

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[(EventID=4624)]]
     and                   
     *[EventData[Data[@Name='logontype'] and Data='10']]</Select>
  </Query>
</QueryList>

Remote Logins for a specific user

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[(EventID=4624)]]
     and                   
     *[EventData[Data[@Name='logontype'] and Data='10']]
and
     *[EventData[Data[@Name='targetusername'] and Data="Judith.Turner"]]
</Select>
  </Query>
</QueryList>

Old code?

I used to use the following code, which may still be useful on older servers.

Note however that prior to XP, Windows 2000 doesn’t use logon type 10 and terminal services logons are reported as logon type 2.

Logon Type Codes Revealed - TechGenix

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[(EventID=4624)]]
     and                   
     *[EventData[Data[@Name='logontype'] and (Data='2' or Data='10')]]</Select>
  </Query>
</QueryList>

Application Crashing

<QueryList>
  <Query Id="0" Path="Application">
    <Select Path="Application">*[System[(EventID=1000)]] and *[EventData[Data='OUTLOOK.EXE']]</Select>
  </Query>
</QueryList>

Hyper-V Replication Failed

32022,32315 in Microsoft-Windows-Hyper-V-VMMS/Admin

event_log_filters.txt · Last modified: 2018/05/02 16:54 by Dan Mundy