I am writing a windows service which monitors accounts login and logoff events within a domain(Windows 2012). The login event id is 4624 and the logoff event id is 4634. But however I am seeing these two events in pairs i.e the event 4624 immediately followed by the event id 4634. What should be the approach to determine if the user is actually logged off from a machine in a domain? Note: Interested in only interactive logon sessions (not network, service or others)
Asked
Active
Viewed 457 times
0
1 Answers
1
You might want to look at event 4647, which is logged whenever a user logs off. If interactive sessions are all you're interested in, you should also limit yourself to relevant logon types (2, 7, 10, 11) in the 4624 event.
Tomer
- 1,606
- 12
- 18
-
I can see event 4647 only for the domain controller local logoff only. Login/logoff on others computer of a domain only generates events 4624 and 4634 on domain controller. Do we need to enable it explicitly? – Rajat Paliwal Sep 15 '16 at 08:10
-
Not sure. I was talking about taking the events from the actual machines, not from the DC. Maybe there's a setting, or event forwarding policy. – Tomer Sep 15 '16 at 09:20
-
Yes, the events from the actual machines.I can see events 4624 and 4634 from actual machines to the DC security logs but not the event 4647. – Rajat Paliwal Sep 15 '16 at 11:50