You have a file server named Server1 that runs Windows Server 2016.

Object access auditing is configured on Server1. You need to filter the Security event log to show all log entries that relate to a user named User1.

What should you do?

A. Right-click the Security log, and then click Filter Current Log-¦ On the Filter tab, type a value in the User box.

B. Right-click the Security log, and then click Filter Current Log-¦ On the Filter tab, select a value from the Event sources box.

C. Right-click the Security log, and then click Create Custom View-¦ On the Filter tab, type a value in the User box.

D. Right-click the Security log, and then click Filter Current Log-¦ On the XML tab, modify the QueryList entry and set an EventData tag.

Explanation:

Right clicking the event log name and selecting the -Filter Current Log- will display various options for filtering the event log.

These options are:

Time logged: There are pre-canned filters for the last hour, last 12 hours, last 24 hours, last week and last 30 days. Additionally you can specify a custom range.

Event level: Choose to show only events that match the specified level critical, warning etc.

Event Source: Select to only see events from MSI Installer, DHCP client etc.

EventID: Specify the event ID.

Keywords: Specify filters based on Audit Failure, Audit success User Computer(s)

References: https://blogs.technet.microsoft.com/rmilne/2014/08/06/quick-tip-event-viewer-filtering/