Server Event viewer interpretation (Logon/Logoff)
I have been asked by management to provide a report displaying when users logon in the morning and logoff when they are leaving. I've looked in the Event Viewer/Security Log and identified event ID 540 as Logon & 538 as Logoff, but there are multiple instances for each? For example, I see event ID 540 for user:Wilb ...
I have been asked by management to provide a report displaying when users logon in the morning and logoff when they are leaving.
I've looked in the Event Viewer/Security Log and identified event ID 540 as Logon & 538 as Logoff, but there are multiple instances for each?
For example, I see event ID 540 for user:Wilber$ logging in at 7:49 am, 8:14, 8:28, 8:44, etc...
Same for event ID 538.
How can I best filter these extra entries out and create a useful report?
Thanks,
Russell
:x
I've looked in the Event Viewer/Security Log and identified event ID 540 as Logon & 538 as Logoff, but there are multiple instances for each?
For example, I see event ID 540 for user:Wilber$ logging in at 7:49 am, 8:14, 8:28, 8:44, etc...
Same for event ID 538.
How can I best filter these extra entries out and create a useful report?
Thanks,
Russell
:x
Participate on our website and join the conversation
This topic is archived. New comments cannot be posted and votes cannot be cast.
Responses to this topic
could very well be he has logged in and out, multiple times,
or do u simply want to know when he was in the first time, and logged out the last time?
you can sort it by time / date i beleive.
Management woud likey want ALL times - they are probably seeing how often users are away from the stations when they should not be.
or do u simply want to know when he was in the first time, and logged out the last time?
you can sort it by time / date i beleive.
Management woud likey want ALL times - they are probably seeing how often users are away from the stations when they should not be.
They only need the first logon time in the morning and the last logoff time in the afternoon. Kinda like a punch-clock time keeper.
Some of the logon/logoff events happen every 2 or 3 minutes. Don't think someone would be locking/unlocking their workstation that frequently?
In Domain Security Policy/Local Policies/Audit Policy I have two items logging Success/Failures. They are:
1. Audit account logon events
2. Audt logon events
What's the difference?
RW
Some of the logon/logoff events happen every 2 or 3 minutes. Don't think someone would be locking/unlocking their workstation that frequently?
In Domain Security Policy/Local Policies/Audit Policy I have two items logging Success/Failures. They are:
1. Audit account logon events
2. Audt logon events
What's the difference?
RW
1. Audit account logon events is when a domain controller receives a request to validate a user account. See article http://support.microsoft.com/support/kb/articles/q174/0/73.asp
2. Audit logon events is when a user logs on or off, or makes or cancels a network connection.
Auditing is a great way to detect random password hacks and or stolen user credentials with those 2 audits.
2. Audit logon events is when a user logs on or off, or makes or cancels a network connection.
Auditing is a great way to detect random password hacks and or stolen user credentials with those 2 audits.
