Security Log Randomly omits login entries on Citrix server

The Windows Security log randomly omits login attempts to our Citrix server.  

We run a a batch job that tracks user logins on our Citrix server (Windows 2008 Server OS) using the Auditlog.exe command:  


After noticing some logins weren't logged, I checked the Security log via Event Viewer, and confirmed the user was not in the Security log.  I watched this user login to the Citrix server and invoke Word, so I know a successful login attempt occurred.  This seems to occur randomly.
Marisa StevensonAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Carl WebsterCitrix Technology Professional - FellowCommented:
Are they connectly directly to this server or via web interface?
Marisa StevensonAuthor Commented:
They are connecting directly.  We also have a remote Citrix server we use for failover, though we had not failed over during this time.  However, it's possible access was routed via the remote server due to load balancing - had not considered that when I posed this question.  I'm going to check whether Event Viewer on the remote server has logged the entries.  If you have other thoughts, please share.  Otherwise I will update (and possibly close) this post once I've checked the other server.
Carl WebsterCitrix Technology Professional - FellowCommented:
If they connect directly to the server, load balancing does not come into play.  Is there only this one XenApp server plus the remote one for failover?  

When you say they connect direct, are they connecting via RDC to the server's desktop, are you using a custom ICA file, are you using Program Neighborhood?
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Marisa StevensonAuthor Commented:
I ran the batch job on the remote server and it appears the security log has trapped logins on that server as well (despite not having failed over to it).  Perhaps 'load balance' was the incorrect term.  I'm going to assume this must be the answer - I was looking at the local server, and should have been looking at both, for whatever reason.  Thanks for your help.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Carl WebsterCitrix Technology Professional - FellowCommented:
It all depends on how your users connect to servers.  The way it is supposed to work is:

connect to web interface
user enters login credentials
web interface passes credentials to the XML Broker who passes them on to a DC
DC validates credentials
If invalid, login failed msg is displayed
If valid, XML Broker talks to zone data collector (usually one in the same server) and retrieves the list of applications and desktops for that user
Web Interface then displays a customized WI
user clicks an icon
WI goes back to ZDC (and depending on version os PS/XA and HRP level) and will either see if the user has a session on a server and if so connect to that session to run the app and if the user has no existing session, then will ask for the Least Busy Server and run the app from that server.
Marisa StevensonAuthor Commented:
I am amazed at your level of knowledge.  Thanks so very much for your help.
Carl WebsterCitrix Technology Professional - FellowCommented:
Nothing to be amazed about.  I'm just little ol' me. :)
Marisa StevensonAuthor Commented:
Appears the remote Citrix server is also trapping logins, perhaps due to load balancing.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.