inital

log-analysis/win-event-log/logon-logoff.md

@@ -0,0 +1,12 @@
+Windows Event Log Filter
+
+```
+<QueryList>
+  <Query Id="0" Path="Security">
+    <Select Path="Security">*[System[EventID=4624] and EventData[Data [@Name='TargetUserName'] = 'YourUserName']]</Select>
+  </Query>
+  <Query Id="0" Path="Security">
+    <Select Path="Security">*[System[EventID=4634] and EventData[Data [@Name='TargetUserName'] = 'YourUserName']]</Select>
+  </Query>
+</QueryList>
+```