Solved

I need help with XML code for Logon and logoff events in Server 2008 within a specific time frame of the last 2 days

Posted on 2015-02-06
4
91 Views
Last Modified: 2015-02-10
I have the first part of the XML code for the Logon for a user for the last 2 days as follows:
<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
    *[System[(EventID=4624)
    and
    TimeCreated[timediff(@SystemTime) &lt;= 172800000]]
    and
    EventData[Data[@Name='TargetUserName'] and (Data='USERNAME')]
    and
    EventData[Data[@Name='LogonType'] and (Data='10')]]
    </Select>
  </Query>
</QueryList>

But have not been able to create the XML code to add to obtain the logoff for the user. Any help would be appreciated
0
Comment
Question by:mopalinski
  • 2
  • 2
4 Comments
 
LVL 39

Expert Comment

by:footech
ID: 40595509
So, this appears to be an XPath form for a custom filter of event data.  I believe all you need is the modification as shown below.
<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
    *[System[(EventID=4624 or EventID=4647)
    and
    TimeCreated[timediff(@SystemTime) &lt;= 172800000]]
    and
    EventData[Data[@Name='TargetUserName'] and (Data='USERNAME')]
    and
    EventData[Data[@Name='LogonType'] and (Data='10')]]
    </Select>
  </Query>
</QueryList>

Open in new window

0
 

Author Comment

by:mopalinski
ID: 40598276
Sorry, but it still only shows Logon and not logoff with your suggestion.
0
 
LVL 39

Accepted Solution

by:
footech earned 500 total points
ID: 40598710
Try 4634 instead of 4647.
0
 

Author Closing Comment

by:mopalinski
ID: 40600614
Worked like a charm. Thank you so much.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Introduction: I have always been a big fan of Windows but my liking towards it is slowly being eroded by the variety of other Applications that I encounter, when I browse the Web. Most of the software available is free and maybe Open Source too. …
Many times while working on a computer regardless of any Operating System, lag and crashes seem to creep in, hindering your working speed. Sometimes, it can also cause your work to be lost unexpectedly and as a result, you are unable to meet your de…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now