Share via

Workstation logon/logoff audit log

GlenTech 496 Reputation points
2022-10-04T19:15:04.35+00:00

Upon checking the security log in my 2019 DC, I can see only about a days' worth of logon/logoff events for users in my org. I increased the log size to the max of 4GB (4194240kb) to increase how far back I can look but is that the correct place to audit user's logon/logoff times for workstations or do I need to create a specific GPO in order to do accomplish this?

Windows for business | Windows Server | Devices and deployment | Configure application groups
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. George Moise 2,361 Reputation points Microsoft Employee
    2022-10-05T07:23:58.027+00:00

    Hi @GlenTech ,

    When we're looking in the Security Event Log of a Domain Controller, we will see the following types of events:

    • activities performed by Domain Objects (Users, Computers, etc)
    • activities performed by local users on the current Domain Controller

    Now, this means, that if you want to audit the Logon (4624) and Logoff (4634) activities of your Domain Users, then is sufficient if you look in the Security Event Logs of all your Domain Controllers.

    If you want to audit the Logon and Logoff also for Local Users (non-domain), then you will have to look in the Security Event Logs of all your servers / clients you want to audit (as the local users related events are generated locally).

    Usually, organizations are using SIEM tools (Security Information and Event Management) to collect the required Security Events in a central data store, on top of which they can then query the entire set of events.

    If you are interested in this, you can then have a look maybe at Microsoft Sentinel (Cloud based SIEM from Microsoft) that will allow you to collect the Security Events from your Domain Controllers (via agents), perform security detections, data visualizations, etc. and store them for a longer time.

    I hope the above helps!
    If so, please "Accept the answer", so we help the entire community here.

    Thank you!
    BR,
    George

    0 comments
  2. Limitless Technology 39,926 Reputation points
    2022-10-06T08:59:11.553+00:00

    Hello there,

    Are you planning to track the session time out total log in ?

    You are right to check the audit log and security log additionally you can track Active Directory User Login history using Event logs.

    Go to “Windows Logs” ➔ “Security”.
    Open “Filter Current Log” on the rightmost pane and set filters for the following Event IDs. You can also search for these event IDs.

    Event ID Description
    4624 Logon (Whenever an account is successfully logged on)
    4647 Logoff (When an account is successfully logged off)
    4634 Logon session end time
    4800 System was locked
    4801 System was unlocked

    ---------------------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept it as an answer--

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.