In Windows the Event Viewer is used to look at all the logs the OS has generated. On a local machine even without much filtering it is not hard to go through when needing to find something. This is not the case when looking through logs on a Domain Controller or Exchange server.
The default options for filtering the logs are very lacking and do not provide much functionality. Using XML filters is the way to go. These Examples will filter through the Security Logs.
In Event Viewer create a "Custom View"
Go to the XML tab and select "Edit Query Manually"
Select Yes for the popup.
We can now make our custom query: If you want to filter by the Subject User Name use this:
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[EventData[Data[@Name='SubjectUserName'] and (Data='user1')]]
</Select>
</Query>
</QueryList>
Sometimes you will get an error, if you do copy the command into notepad and be sure to re-input the quotations (') as they are sometimes not formatted correctly.
Similar to the above it can be useful to search by Target User Name:
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[EventData[Data[@Name='TargetUserName'] and (Data='user1')]]
</Select>
</Query>
</QueryList>
If you want to filter by a specific Event ID use:
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[System[(EventID='4625')]]
</Select>
</Query>
</QueryList>
We can also combine the above filters for an even more specific search:
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[EventData[Data[@Name='SubjectUserName'] and (Data='user1')]]
and
*[System[(EventID='4625')]]
</Select>
</Query>
</QueryList>