[THIN] Audit login/logoff for 1 user

  • From: Angela <angela_smith9@xxxxxxxxxxx>
  • To: "thin@xxxxxxxxxxxxx" <thin@xxxxxxxxxxxxx>
  • Date: Sat, 25 Oct 2014 14:10:24 +1100

Hi 



Does anyone know a
way to interrogate Event Viewer to get login/logoff details for a specific user
account (local account) in Windows 2008?.  I created a Custom View using a
XML filter in Event Viewer with the following: 



<QueryList> 

  <Query
Id="0" Path="Security"> 

   
<Select Path="Security"> 

   
*[System[(EventID=4624) 

    and 

   
TimeCreated[timediff(@SystemTime) &lt;= 2592000000]] 

    and 

   
EventData[Data[@Name='TargetUserName'] and (Data='UserAccount')] 

    and 

   
EventData[Data[@Name='LogonType'] and (Data='10')]] 

   
</Select> 

  </Query> 

</QueryList>



This works for logon
info but cannot incorporate the logoff code as I get syntax errors.  Has
anyone performed this?  

Thanks                                            

Other related posts: