Jump to content
Compatible Support Forums
Sign in to follow this  
rwilliams3

Server Event viewer interpretation (Logon/Logoff)

Recommended Posts

I have been asked by management to provide a report displaying when users logon in the morning and logoff when they are leaving.

 

I've looked in the Event Viewer/Security Log and identified event ID 540 as Logon & 538 as Logoff, but there are multiple instances for each?

 

For example, I see event ID 540 for user:Wilber$ logging in at 7:49 am, 8:14, 8:28, 8:44, etc...

 

Same for event ID 538.

 

How can I best filter these extra entries out and create a useful report?

 

Thanks,

 

Russell

:x

Share this post


Link to post

Extra entries? These are the times that the user logged on/logged off. I'm assuming that the user locked/unlocked their workstation and logged back on again. The times sound about right. For proper auditing you NEED these times logged.

Share this post


Link to post

could very well be he has logged in and out, multiple times,

 

or do u simply want to know when he was in the first time, and logged out the last time?

 

you can sort it by time / date i beleive.

 

Management woud likey want ALL times - they are probably seeing how often users are away from the stations when they should not be.

Share this post


Link to post

They only need the first logon time in the morning and the last logoff time in the afternoon. Kinda like a punch-clock time keeper.

 

Some of the logon/logoff events happen every 2 or 3 minutes. Don't think someone would be locking/unlocking their workstation that frequently?

 

In Domain Security Policy/Local Policies/Audit Policy I have two items logging Success/Failures. They are:

1. Audit account logon events

2. Audt logon events

 

What's the difference?

 

RW

Share this post


Link to post

1. Audit account logon events is when a domain controller receives a request to validate a user account. See article http://support.microsoft.com/support/kb/articles/q174/0/73.asp

 

2. Audit logon events is when a user logs on or off, or makes or cancels a network connection.

 

Auditing is a great way to detect random password hacks and or stolen user credentials with those 2 audits.

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×