3 May 2018

windows 10 logon/logoff tracking by filtering system events

When I'm late filling in my timesheets, it always is a headache to remember which hours I spent working. My windows event viewer (eventvwr.msc) can be a help but the logs are too crowded.
The events related to logon/logoff are polluted with plenty of events from system services.
So I ventured to create a filter only showing the events relating to my user. This requires XML filtering based on XPATH.

  1.  Create a new custom event view
    1.  right click the security category and select Create Custom View...
    2.  enter the event ID's you want to filter. For logon/logoff these are 4624, 4634 and 4647
      1. You can get the id's by examining your events or from this MSDN page.
UPDATE: I'm often not logging of and this method does not log system sleep. Instead of monitoring logon/logoff I made a new filter that logs By source on event source Power-Troubleshooter. The details in the logs show the time the system went to sleep and woke up. The time in the details are in Zulu time (UTC+0), so they are some hours of from the real time, but given that the event time is correct, this is easy to deal with. The post remains interesting as a general explanation of event filtering, so I just added this update, and did not modify the general procedure
  1. Modify the base filter. 
    1. There is a field for filtering on the user name in the filter definition form, but that did not work. By clicking the XML tab we can edit the XML filter definition. Take care: you will not be able to edit the filter using the graphical user interface anymore after that.
    2. I added user filtering in the XML. This is my filter
    3. <QueryList>
        <Query Id="0" Path="Security">
          <Select Path="Security">
            *[System[( EventID=4624 or EventID=4634 or EventID=4647)] 
              and EventData[Data[@Name='TargetUsername']='jan']]
          </Select>
        </Query>
      </QueryList>
      
    4. I saved the filter and provided a name for the new custom filter. 
  2. We're done
Now you might wonder where I got the name of the field I needed to filter on from.  You can get the XML element names by examining the event in your logs
  1. In eventviewer, pick a logon event of logon type 2. More info on logon events...
  2. Select the event and in the bottom  half of the window you see the details
  3. Select the Details Tab, then the XML view button. This shows you the name/value pairs on which you can filter. I  want to filter on my user, so I'll need the SubjectUserName field.
On this Micorosoft technet page you find more info on XML event filtering.