I want to audit when every user logged into of logged off a server via RDP. When I run Get-EventLog
or Get-WinEvent
and filter for Login (Event ID 4624) and Logoff (Event ID 4634) events, I only am seeing Logoff events with no corresponding Login events. Why is this and how can i get the corresponding Login Events?
-
1The logon may have occurred before the security event log wrapped. This is where you need to have logs sent to your centralized collector/SIEM.– Greg Askew15 hours ago
-
@GregAskew logs span at least a week and contain approx 50 logoff events each day. I would expect to have a 1:1 ratio of login to logoff so I am not sure the log wrapping theory tracks.– Liam Kelly15 hours ago
-
What settings are enabled/disabled in auditpol?– Greg Askew13 hours ago
Add a comment
|