I was trying to filter events on DC to check for NTLM & kerberos authentication. There are limitations using basic filtering.
I can use XML filtering and Custom Views.Custom Views using XML filtering are a powerful way to drill through event logs and only display the information you need. With Custom Views, you can filter on data in the event. To create a Custom View based on the username, right click Custom Views in the Event Viewer and choose Create Custom View.
Click the XML Tab, and check Edit query manually. Click ok to the warning popup. In this window, you can type an XML query. For this example, we want to filter by AuthenticationPackageName, so the XML query is:
<QueryList>
<Query Id=”0″ Path=”Security”>
<Select Path=”Security”>*[EventData[Data[@Name=”AuthenticationPackageName”] = “NTLM“] and System[(EventID=4624)]]</Select>
</Query>
</QueryList>
<QueryList>
<Query Id=”0″ Path=”Security”>
<Select Path=”Security”>*[EventData[Data[@Name=”AuthenticationPackageName”] = “Kerberos“] and System[(EventID=4624)]]</Select>
</Query>
</QueryList>