Technical Tip: Useful XML Filters to track FSSO user logon events in Windows Event Viewer

In the FSSO DC-Agent or Polling setup, sometimes users encounter missing logon events for specific users on the FSSO Collector Agent.

The first step is always to check whether the user logon event is processed on the Domain Controller.

Go to Event Viewer -> Windows Logs -> Security -> Filter Current Log -> XML:

1. Event Viewer XML filter by username (USER123):

<QueryList>

<Query Id="0" Path=file_path>

<Select Path= file_path>*[EventData[Data[@Name="TargetUserName"]=" USER123"]]</Select>

</Query>

</QueryList>

• Replace USER123 with the desired username to filter its logon event.

2. Event Viewer XML filter by IP address (x.x.x.x):

<QueryList>

<Query Id="0" Path=file_path>

<Select Path=file_path>*[EventData[Data[@Name="IpAddress"]="x.x.x.x"]]</Select>

</Query>

</QueryList>

• Replace x.x.x.x with the desired IP address to filter its logon event.

3. Event Viewer XML filter by Workstation Name (WORKSTATION):

<QueryList>

<Query Id="0" Path=file_path>

<SelectPath=file_path>*[EventData[Data[@Name="WorkstationName"]="WORKSTATION"]]</Select>

</Query>

</QueryList>

• Replace WORKSTATION with the desired workstation name to filter its logon event.