Login and logoff in DC event viewer while user still logged in

Hello, We in the middle of integrating our on premise AD to our SOPHOS firewall. We had to download the SOPHOS firewall plugin to connect to AD and server information. Apparently the app reads certain particular events that tell it if a users has logged in or logged out of his or her computer system and based on that consider the user active and therefore starts logging and allowing that AD user access to the internet.

Currently this is not working and the cause per SOPHOS Senior engineer is when the user signs in the event viewer we see ID 4624 pop up but right after we get an event 4634 stating a logoff and the following message...

"This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer"  

SOPHOS Engineer specifically said event ID 4634 is causing this issue.

It makes sense that 4634 may be causing issues since it says the user is logged off when in fact they just logged in but is that event ID 4634 a normal event across all servers or an issue I must fix?

-Currently only 1 domain controller
-Windows Server 2016
-About 60 Users
Spirit_USAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

KimputerIT ManagerCommented:
Check same with an idle PC, login a user, try to have a clean startup profile.
If you see much less logged entries, it means it's probably by design that you get so many for active users. Think of users connecting to your Sharepoint, think of Outlook generating many login/logoff requests.
So if you already see the login/logoff events are correct for the idle user, start using only one added program at a time. So start Outlook, check eventlog for a while, the connect to Sharepoint, and slowly add one program at a t ime.
The moment you see the eventlog flooded again for this user, you know which program is causing it.
Sadly, after you find it out, like maybe Outlook, you will still have no answer, and there's not much you can do to influence this, because Outlook needs to login/logoff to work properly with your Exchange server.
Shaun VermaakTechnical SpecialistCommented:
It may be positively correlated with a logon event using the Logon ID value.
The need to correlate this message by logon ID and look for a logon event. If there is one, the session is still logged on.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Spirit_USAuthor Commented:
Thank you
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2016

From novice to tech pro — start learning today.