List specific Events from the Security Event Log

just replace the  second line of your script with a following line

Set EventLog = GetObject("winmgmts:{impersonationlevel=impersonate}").ExecQuery("select * from Win32_NTLogEvent where (EventCode=7036 Or EventCode=7035) And User='exact_user_name'  ")

Disregard the previous comment. I typed  the wrong error codes. (just used them to test the solution)
The main idea is the same .

Set EventLog = GetObject("winmgmts:{impersonationlevel=impersonate}").ExecQuery("select * from Win32_NTLogEvent where (EventCode=528 Or EventCode=551) And User='exact_user_name'  ")

Pay attention to the exact_user_name. If it is in form Domain\User or Computer\User  than you'll have to write it with a double slash  like 'Domain\\User'
For additional fields avaiable for  filtering take a look at http://msdn.microsoft.com/en-us/library/aa394226(VS.85).aspx

Hey, thanks for your response. The text output file is empty, no data inside. Without making alterations the script runs fine, when I change the second line to the below it runs fine:

Set EventLog = GetObject("winmgmts:{impersonationlevel=impersonate}").ExecQuery("select * from Win32_NTLogEvent where logfile = 'Application'")

But when I change it to the below, it makes an empty output txt file:

Set EventLog = GetObject("winmgmts:{impersonationlevel=impersonate}").ExecQuery("select * from Win32_NTLogEvent where logfile = 'Security'")

I tried running the script with your alterations and it also make the output file blank.

the output file is empty when  there is no records matching the search  criteria.
Please verify that you have records matching your where clause.
Do you have any records in the security log?

6,949 Events in Security Log.

Ok.
Let's try slightly different approach. In this version there  is no  filtering in the select statement.
Instead of this all the filtering  is done in the for loop. To make the code more readable I've restructured it and also added some informational printouts to see what's going on.

Please pay attention that the   On Error Resume Next directive is commented out.
This is to prevent silent skipping over  the errors.
Just replace Your_User_Name with the real  one and give a try.

'On Error Resume Next
Set EventLog = GetObject("winmgmts:{impersonationlevel=impersonate}").ExecQuery("select * from Win32_NTLogEvent")
 
if EventLog.Count=0 Then 
 Wscript.echo "No Records Found"
else  
 Wscript.echo "Found " &  EventLog.Count & " records"
 Set FSO = CreateObject("Scripting.FileSystemObject")
 Set txt = FSO.CreateTextFile("C:\text.txt", True)
 i=0
 For each Entry in EventLog
	 If Not IsNull(Entry.User)  And  InStr(Entry.User,"Your_User_Name") AND (Entry.EventCode=528 Or Entry.EventCode=551) then
		SaveRecord Entry
		i=i+1
	 end if
 next	
 Wscript.echo "Added to file " &  i & " records"
 txt.close
end if
Wscript.echo "Done"
 
 
sub SaveRecord (Entry)
If Len(Entry.Message) > 0 Then
   For x = 1 to Len(Entry.Message)
    Char = Mid(Entry.Message,x,1)
    If Asc(Char) = 10 Then
     MSG = MSG & " "
    ElseIf Asc(Char) <> 13 Then
     MSG = MSG & Char
    End If
  Next
 EDate = Mid(Entry.TimeGenerated,5,2) & "/" & _
  Mid(Entry.TimeGenerated,7,2) & "/" & _
  Mid(Entry.TimeGenerated,1,4)
 ETime = Mid(Entry.TimeGenerated,9,2) & ":" & _
  Mid(Entry.TimeGenerated,11,2) & ":" & _
  Mid(Entry.TimeGenerated,13,2)
 ETime = FormatDateTime(ETime,3)
 
 If IsNull(Entry.User)  Then
  User = "N/A"
 Else
  User = Entry.User
 End If
 
 If IsNull(Entry.CategoryString) Then
  Category = "none"
 Else
  Category =Entry.CategoryString
 End If
 
 EVT = Entry.LogFile & VBtab & _
 Entry.Type & VBtab & _
 EDate & VBtab & _
 ETime & VBTab & _
 Entry.SourceName & VBtab & _
 Category & VBtab & _
 Entry.EventCode & VBtab & _
 User & VBtab & _
 Entry.ComputerName & VBtab & _
 MSG
 txt.writeline EVT
 
 EVT = Null
 Char = Null
 MSG = Null
End If
end sub

Select allOpen in new window

Thanks man, success.