how to custmize eventviwer to only see all user logons

Julian Assange

2 min read

·

07-09-2024

41

0

Share

If you're looking to track user logon activity on your Windows system, the Event Viewer can be a powerful tool. By customizing it, you can filter out the noise and focus solely on user logons. In this guide, we will walk you through the steps to set up Event Viewer so you can see all user logons efficiently.

Understanding Event Viewer

Event Viewer is like a diary for your computer, recording important events and activities. Think of it as a surveillance camera that captures everything happening in your system. Each entry provides insights into applications, system events, and security-related activities, including user logins.

Why Track User Logons?

Tracking user logons can help you:

• Enhance Security: Identify unauthorized access or security breaches.
• Monitor Activity: Understand user behavior and usage patterns.
• Troubleshoot Issues: Diagnose problems related to user access.

Steps to Customize Event Viewer for User Logons

Here’s how you can set up Event Viewer to display only user logon events:

Step 1: Open Event Viewer

1. Press Windows + R to open the Run dialog.
2. Type eventvwr.msc and hit Enter. This opens the Event Viewer.

Step 2: Navigate to Security Logs

1. In the left pane, expand Windows Logs.
2. Click on Security. This is where all security-related events, including logons, are recorded.

Step 3: Create a Custom View

To streamline your experience, you can create a custom view that filters for logon events.

1. In the right pane, click on Create Custom View.
2. In the Filter tab, make the following selections:
   • Logged: Select the timeframe you wish to review (e.g., Last hour, Last week).
   • Event Level: You can leave this unchecked, as logon events can vary in severity.
   • Event logs: Choose Security.
   • By Event IDs: Enter the following IDs to filter logon events:
     • 4624: Successful logon
     • 4625: Failed logon attempts
3. Click on OK.

Step 4: Name and Save Your Custom View

1. In the dialog that appears, give your custom view a name, like “User Logons”.
2. Optionally, you can add a description to help remember its purpose.
3. Click on OK to save your view.

Step 5: View Your Filtered Logon Events

Now, every time you want to check user logons:

1. Go to the Custom Views section on the left pane.
2. Click on your newly created view, “User Logons”.
3. You will see a list of all successful and failed logon attempts filtered by your criteria.

Conclusion

Customizing the Event Viewer to only display user logons is a straightforward process that can significantly enhance your monitoring capabilities. By following these steps, you'll have a tailored view, allowing you to keep an eye on user activity with ease.

Additional Resources

For further learning about Event Viewer and user monitoring, check out these articles:

• Understanding Event Viewer: A Beginner's Guide
• Enhancing Security with Windows Event Logs

By keeping track of user logons, you can foster a more secure and efficient computing environment. Happy monitoring!