Multiple 4624 and 4634 events for every logon and logoff

I'm getting 3-5 logon (4624) and multiple 4634 events for every logoff. I'm trying to narrow these down to the actual event of logging on and logging off,but with so much noise it it hard to figure out the real event.

Anyone have suggestions on filtering this stuff or seeking an alternative method of obtaining the logon/logoff events/actions.
LVL 1
RLUNTAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

gemartiCommented:
What is the logon type noted in the event? Many times this could just be a local service starting up or shutting down.

You can start by disabling all services one at a time until you narrow down the source of the event. If the service isn't needed then don't start it up. Service logons are usually "Logon Type: 5"



0
gemartiCommented:
BTW: You can use this tool (http://technet.microsoft.com/en-us/sysinternals/bb896769.aspx) to determine what accounts are logged on and what service they are using. This may be quicker than trying to disable services etc.

0
RLUNTAuthor Commented:
No solution has been presented. All the above suggestions don't address the fundamental question of how to get to the root login event efficiently. Scouring through services, etc. turning them off is the equivilent of counting grains of rice when handling enterprise issues. I was looking for some insight as to an advance filtering of event to get to the root login event for the user. Therfore no points will be awarded.
0
Hey MSSPs! What's your total cost of ownership?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

gemartiCommented:
perhaps if you would have answered the question I asked I could have provided you with a succinct answer. Your question was vague and non specific; this is why you didn't get what you wanted. But the suggestions I provided are valid answers to the basic premise of your question.

Running a filter to find all service logons would quickly tell you if a service was causing the event you were looking for so I'm not too sure I understand the justification of your comment.



 
0
RLUNTAuthor Commented:
Ah there's the rub. What is the question? From my perspective it was suscint, but reviewing it I can see that a different perspective would garner your response. Therefore, I'll rephrase:

I want to review the thousands of people logging into my network and get the specific 'login' event and the specific 'logout' event. I don't want all the other junk that MS provides for all the services, etc, etc. etc.  The root of this is to know when a person logs in and logs out. Nothing more. The local WS has distinct events for this, but that would require trapping events on every workstation.  I built a service to trap these on the WS level, but with 1000 WS it is painful to update. Supposedly the 'Audit' feature of a Windows Server should replicate this workstation capabilites within the server 'Security Event log.'  But as I found out MS decided not to replicate the process but to go overboard even to the extent of using the same event ID for multiple events. As seen within the body of the event. However MS was inconsistent with the use of the body, sometimes populating the source, etc. etc etc. Sometimes sending the corresponding logoff, sometimes not.  Thus, rendering the current 4624 and 4634 events virtually useless unless you focus on one workstation and sift slowly through the noise. But on a large scale it is beyond painful.

I have not found anyone who has definitively resolve the ability to know when a perons logs on to a domain and logs off the domain. Many writings (forums, google, msdn)  say "Turn on Auditing" but after that the specifics fade into the ether. I can imagine they fade because of the above issue and no one knows how to resolve the excess/noisy information problem.  Thus, it is troubling to hear some write they 'know' how to monitor logon/logoff on a large network and then provide only 33% of the solution. Why answer the qestion when you can't provide the whole solution. This is not directed at you but the public at large for offering a solution that is not a solution.

So, please accept my appology for the above comment. You were addressing the question I asked, not the question I thought I asked.

If you have any insight to the above situation I would appreciate your input.

Regards

0
gemartiCommented:
Perhaps two simple scripts and a sql database would provide you with a solution?

I think I understand your extended comments; you want a log of when a user logs on and logs off your domain controller you aren't interested in services starting up or what account is used to start those services.

If you are in AD one possible approach is to setup two scripts that would run when a user logs on and logs off the network. The scripts would quickly record the user name, computer name, date and time of log entry and whether the user was logging on or off. Would that get to the root of your request? Or are you wanting more specific information? If so what specific information do you need to know?

I understand you have done extensive research on the event logs and don't wish to deal with the complexity or quantity of information stored in those logs; if I'm correct I think a customized solution is the only viable option.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
RLUNTAuthor Commented:
Take this as a extreme complement, you have what my wife does to me frequently. When looking at a complicated answer she punches me in the head with a common sense approach.

Thanks
0
gemartiCommented:
I'm pretty sure I don't like being compared with a woman...especially your wife (I'm sure she is a wonderful woman) but I'll take your compliment; hope it all works out.

Thanks.
0
RLUNTAuthor Commented:
Ah, it is the most sincerest complement. She is great, smart and a geek.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.