Hello, I have created a custom view to filter the security log using the following <QueryList> <Query Id="0" Path="Security"> <Select Path="Security">*[System[(Level=4 or Level=0 or Level=5) and (EventID=4648)]]</Select> </Query> </QueryList> My issue is this. I would like to be able to filter the list so that it displays the events for a particular user. I entered the user name in the form domain\user name and also just using the user name but the result of of the query is nothing. Nothing desplays for the event ID 4648. If I remove the user name from the query, the filter works ok. I verified there is indeed a valid security entry for the user in the log. Not sure what to do as the query seems to have a problem parsing the user name out of logs Thanks Paul

Hi Paul, We can specify the User Name by using the following steps: 1. Select Filter Current Log, switch to XML tab, change the content as follow: <QueryList> <Query Id="0" Path="Security"> <Select Path="Security">* [EventData[Data[@Name='subjectUsername']='testuser']]</Select> </Query> </QueryList> Note: Change "testuser" to the user name you would like to query. 2. Click OK. Hope this helps. Regards, BruceThis posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, Have you tried the suggestions? If there is any update about this issue, please let us know. Have a nice day! This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Bruce I came across your answer when faced with the same problem on Windows Small Business Server 2008. In my case I had to use TargetUserName rather than subjectUsername. I.e <QueryList> <Query Id="0" Path="Security"> <Select Path="Security">* [EventData[Data[@Name='TargetUserName']='testuser']]</Select> </Query> </QueryList> The query then worked fine. Regards Nick