Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

I need help with XML code for Logon and logoff events in Server 2008 within a specific time frame of the last 2 days

Posted on 2015-02-06
4
Medium Priority
?
105 Views
Last Modified: 2015-02-10
I have the first part of the XML code for the Logon for a user for the last 2 days as follows:
<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
    *[System[(EventID=4624)
    and
    TimeCreated[timediff(@SystemTime) &lt;= 172800000]]
    and
    EventData[Data[@Name='TargetUserName'] and (Data='USERNAME')]
    and
    EventData[Data[@Name='LogonType'] and (Data='10')]]
    </Select>
  </Query>
</QueryList>

But have not been able to create the XML code to add to obtain the logoff for the user. Any help would be appreciated
0
Comment
Question by:Michael Opalinski
  • 2
  • 2
4 Comments
 
LVL 41

Expert Comment

by:footech
ID: 40595509
So, this appears to be an XPath form for a custom filter of event data.  I believe all you need is the modification as shown below.
<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
    *[System[(EventID=4624 or EventID=4647)
    and
    TimeCreated[timediff(@SystemTime) &lt;= 172800000]]
    and
    EventData[Data[@Name='TargetUserName'] and (Data='USERNAME')]
    and
    EventData[Data[@Name='LogonType'] and (Data='10')]]
    </Select>
  </Query>
</QueryList>

Open in new window

0
 

Author Comment

by:Michael Opalinski
ID: 40598276
Sorry, but it still only shows Logon and not logoff with your suggestion.
0
 
LVL 41

Accepted Solution

by:
footech earned 2000 total points
ID: 40598710
Try 4634 instead of 4647.
0
 

Author Closing Comment

by:Michael Opalinski
ID: 40600614
Worked like a charm. Thank you so much.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Nathan Brom/Bromy2004 Introduction There are numerous websites out there for any different type of program you can imagine.  Of those, you'll need to decide which ones are legitimate and aren't trying to steal your money or infect your comput…
Log files are useful in diagnosing and repairing problems.  This is a list of common log files and their standard locations that I've compiled.   While this is not exhaustive, it is a pretty good list that I've found to be useful.  I may update it f…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question