Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Event viewer interpretation (Logon/Logoff)

Status
Not open for further replies.
rwilliams3

rwilliams3

MIS
Oct 21, 2002
30
US
I have been asked by management to provide a report displaying when users logon in the morning and logoff when they are leaving.

I've looked in the Event Viewer/Security Log and identified event ID 540 as Logon & 538 as Logoff, but there are multiple instances for each?

For example, I see event ID 540 for user:Wilber$ logging in at 7:49 am, 8:14, 8:28, 8:44, etc...

Same for event ID 538.

How can I best filter these extra entries out and create a useful report?

Thanks,

Russell
 
Sort by date Sort by votes
Please, review your GP/Auditing settings. Keep it on minimum. I'm sure , that you simply choosed more options than you actually need.

Victor K
psas@canada.com
MCSE+I;MCSA;MCSE(w2k);CNE(5.1);MCNE(6);CIWSP;CIWSA;Net+
 
Upvote 0 Downvote
I had a consultant turn off ALL security auditing and can't figure out how to start it up again. Boss has so much faith in the company, he doesn't want me to ask them. Claims if they said we didn't need it, we don't. Glen A. Johnson
Johnson Computer Consulting
MCP W2K
glen@johnsoncomputers.us

Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884
"Doubt is not a pleasant condition, but certainty is an absurd one."
Voltaire -born Francois-Marie Arouet- (1694-1778); French writer.
 
Upvote 0 Downvote
Glen,

Ouch! Turned it all off? As much as I'd love not to have to wade through the logs every morning, I'd sure hate not to have them when something went wrong!

Audit policies are set under Domain Security Policy/Local Policies/Audit Policy.

Dave
 
Upvote 0 Downvote
In Domain Security Policy/Local Policies/Audit Policy I have two items logging Success/Failures. They are:
1. Audit account logon events
2. Audt logon events

What's the difference?

What's the best way to view the data? Filter, then export to csv? How 'bout a third-party program to automate it?

RW
 
Upvote 0 Downvote
different services can create a logon event when they authenticate to the server, you just want success/failure on account logon and failure on longon events Doomhamur
Network Engineer
"Certifications? we dont need no stinking certifiaction."
yahoo IM handle: greater_vortex
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

MattM1975
  • Locked
  • Question
Domain Admin Logon 1
Replies
2
Views
361
ADB100
ADB100
andyferris
  • Locked
  • Question
DC Event logs auditing cannot be set by GPO
Replies
1
Views
336
RRankin355
RRankin355
blpcrs
  • Locked
  • Question
Disk Space warning in real time in Event Viewer?
Replies
0
Views
404
blpcrs
blpcrs
DrB0b
  • Locked
  • Question
RDWeb server getting hit with odd logon requests....
Replies
1
Views
342
DrB0b
DrB0b
amanua
  • Locked
  • Question
Event ID 4776 Security Log
Replies
0
Views
256
amanua
amanua

Part and Inventory Search

Sponsor

Back
Top