Server Event viewer interpretation (Logon/Logoff)
This is a discussion about Server Event viewer interpretation (Logon/Logoff) in the Everything New Technology category; I have been asked by management to provide a report displaying when users logon in the morning and logoff when they are leaving. I've looked in the Event Viewer/Security Log and identified event ID 540 as Logon & 538 as Logoff, but there are multiple instances for each? For example, I see event ID 540 for user:Wilb ...
I have been asked by management to provide a report displaying when users logon in the morning and logoff when they are leaving.
I've looked in the Event Viewer/Security Log and identified event ID 540 as Logon & 538 as Logoff, but there are multiple instances for each?
For example, I see event ID 540 for user:Wilber$ logging in at 7:49 am, 8:14, 8:28, 8:44, etc...
Same for event ID 538.
How can I best filter these extra entries out and create a useful report?
Thanks,
Russell
:x
I've looked in the Event Viewer/Security Log and identified event ID 540 as Logon & 538 as Logoff, but there are multiple instances for each?
For example, I see event ID 540 for user:Wilber$ logging in at 7:49 am, 8:14, 8:28, 8:44, etc...
Same for event ID 538.
How can I best filter these extra entries out and create a useful report?
Thanks,
Russell
:x
Participate in our website and join the conversation
This subject has been archived. New comments and votes cannot be submitted.
Responses to this topic
Extra entries? These are the times that the user logged on/logged off. I'm assuming that the user locked/unlocked their workstation and logged back on again. The times sound about right. For proper auditing you NEED these times logged.
could very well be he has logged in and out, multiple times,
or do u simply want to know when he was in the first time, and logged out the last time?
you can sort it by time / date i beleive.
Management woud likey want ALL times - they are probably seeing how often users are away from the stations when they should not be.
or do u simply want to know when he was in the first time, and logged out the last time?
you can sort it by time / date i beleive.
Management woud likey want ALL times - they are probably seeing how often users are away from the stations when they should not be.
OP
They only need the first logon time in the morning and the last logoff time in the afternoon. Kinda like a punch-clock time keeper.
Some of the logon/logoff events happen every 2 or 3 minutes. Don't think someone would be locking/unlocking their workstation that frequently?
In Domain Security Policy/Local Policies/Audit Policy I have two items logging Success/Failures. They are:
1. Audit account logon events
2. Audt logon events
What's the difference?
RW
Some of the logon/logoff events happen every 2 or 3 minutes. Don't think someone would be locking/unlocking their workstation that frequently?
In Domain Security Policy/Local Policies/Audit Policy I have two items logging Success/Failures. They are:
1. Audit account logon events
2. Audt logon events
What's the difference?
RW
1. Audit account logon events is when a domain controller receives a request to validate a user account. See article http://support.microsoft.com/support/kb/articles/q174/0/73.asp
2. Audit logon events is when a user logs on or off, or makes or cancels a network connection.
Auditing is a great way to detect random password hacks and or stolen user credentials with those 2 audits.
2. Audit logon events is when a user logs on or off, or makes or cancels a network connection.
Auditing is a great way to detect random password hacks and or stolen user credentials with those 2 audits.
