Sometimes you need to know each time a user did something like logged in during a time period. Since the logs can be quite large, I’ve used this method to get results pretty fast. You will need Microsoft’s Log Parser 2.2 installed to use this query. In this case I have it set to look for the name Jeff, but that can be changed to any name.
logparser “SELECT TimeGenerated, SID, Message FROM Security, Application, System WHERE Message like ‘%jeff%’” -i:EVT -resolveSIDs ON > c:\logresult.txt