Today for a little investigation I wanted to find all the logged events of a particular user in my windows active directory domain. I tried the basic log filtering option but it could not give me the logs I require so I wanted a way to find all the logs for a user.
To do this I used the xml query feature of event viewer. Believe me it is a amazing tool guys you can find anything you want from the active directory if you know the way query the ad.
First of all you need to open the event viewer.
Right click on the Custom View folder and select Create Custom View.
In the popup windows switch to the XML tab and then tick the bottom check box as depicted below.
Here you need to write the query to obtain required events from the log file. Here I have mentioned the query set to obtain all the details about a particular user. Don’t worry below I will give you a tip to easily write this query.
<QueryList>
<Query Id=”0″ Path=”Security”>
<Select Path=”Security”>
*[EventData[Data[@Name=’TargetUserName’] and (Data=’Randika’)]]
</Select>
</Query>
</QueryList>
Now click OK and on the next popped up window give a name and location for save the report.
Now inside your selected location in my case Custom Views you can see your newly created event filter profile.
It is easy except writing the query isn’t it?. You might wonder how I know the way to request the data.
It is easy guys first you need to select a similar event type and then go to the property of that event. Then switch to the Details tab and then select the XML radio button. Here you can see all the XML data names you just need to change the Name=’xyz’ xyz part with the data definition name and the data with the Data=’ ‘.
If you want any further explanation about my guide please ask them in the comment area.
Hope this helped.