Hello, I have created a custom view to filter the security log using the following
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[(Level=4 or Level=0 or Level=5) and (EventID=4648)]]</Select>
</Query>
</QueryList>
My issue is this. I would like to be able to filter the list so that it displays the events for
a particular user. I entered the user name in the form domain\user name and also
just using the user name but the result of of the query is nothing. Nothing desplays for
the event ID 4648.
If I remove the user name from the query, the filter works ok. I verified there is indeed
a valid security entry for the user in the log.
Not sure what to do as the query seems to have a problem parsing the user name out of
logs
Thanks Paul