Audit account logon/logoff events

Discussion in 'Security Software' started by Don Cristobal, Apr 19, 2005.

  1. I have been able to set the audit policy to monitor successful logons, but I
    ideally need to set it to monitor logoff times as well. Can this be done?
     
    Don Cristobal, Apr 19, 2005
    #1
    1. Advertisements

  2. I don't think logging off is considered an "event".
     
    Phillip Windell, Apr 19, 2005
    #2
    1. Advertisements

  3. I don't think logging off is considered an "event".
    Event ID 538 is a log off event (see http://tinyurl.com/bytup), which was
    supplemented with 551 in WS2003 (http://tinyurl.com/bytup)
     
    Byron Hynes [MVP], Apr 19, 2005
    #3
  4. I was reading somewhere that in certain situations a "logoff" isn't recorded
    and cannot be used to "trigger" something else,...but I've slept too many
    times since then and don't remember what it was.
     
    Phillip Windell, Apr 21, 2005
    #4
  5. I was reading somewhere that in certain situations a "logoff" isn't
    A logoff is obviously not recorded if it is a "hard" shutdown (like a powerfail),
    and in those cases, log off and shutdown scripts don't fire either.

    kB 318253 and 828020 describe a hotfix needed in W2K to correct an error
    where some logoff events were not recorded.

    There is also a situation where the logoff event is generated out of order
    in Windows NT. I think KB 146880 may be the reference you were thinking of.

    One of the issues with Windows audit is that the messages change with each
    version of the OS but there isn't a versioning mechanism for the messages
    themselves.
     
    Byron Hynes [MVP], Apr 22, 2005
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.