Eventvwr filtering for a specific user - Windows Server

source:http://social.technet.microsoft.com/Forums/windowsserver/en-US/264b58d9-a512-4a04-a186-31e019786a63/filter-winserver-2008-event-security-log-by-account-name-used-or-user-how

I came across your answer when faced with the same problem on Windows Small Business Server 2008. In my case I had to use TargetUserName rather than subjectUsername. I.e

<QueryList>

  <Query Id="0" Path="Security">

    <Select Path="Security">* [EventData[Data[@Name='TargetUserName']='testuser']]</Select>

  </Query>

</QueryList>

 

The query then worked fine.

source:http://social.technet.microsoft.com/Forums/windowsserver/en-US/264b58d9-a512-4a04-a186-31e019786a63/filter-winserver-2008-event-security-log-by-account-name-used-or-user-how