0

I have some knowledge about the events 4624(logon) and 4634(logoff). As microsoft's document suggests, we can correlate these events with the logonid.

  Here my question is, is there any other efficient way to do this?

  Because my need would be, I have to read events for last 30 days, and correlate logon and logonoff events to find the logon duration.

As per the document, logonid is unique between reboots on the same computer. so in that period(last 30 days) there may be the possibility of computer rebooted several times. so i suspect,there may be the possibility of duplication in logonid while we analyze the events for last 30 days.

Kevin M
  • 5,436
  • 4
  • 44
  • 46
  • Not every logon will have an associated logoff, eg when a machine is rebooted without logoff or when a laptop user simply unplugs and goes home. – Remko Dec 02 '12 at 17:45
  • we can track user's logon activity by mapping logon and logoff events with user's **Logon ID** which is unique between user's logon and logoff events. see the following articles http://www.morgantechspace.com/2013/10/tracking-user-logon-activity-using.html http://www.morgantechspace.com/2013/10/logon-and-logoff-events-in-active.html http://www.morgantechspace.com/2013/10/enable-active-directory-logonlogoff.html – Kevin M Oct 10 '13 at 07:32

1 Answers1

1

If you want to track logon and logoff events I would suggest to use logon and logoff scripts that write this information into a database. Using such an approach you don't need to parse eventlogs (on all servers).

Remko
  • 7,214
  • 2
  • 32
  • 52
  • got solution from http://www.morgantechspace.com/2013/10/tracking-user-logon-activity-using.html – Kevin M Oct 15 '13 at 18:03