Login and logoff in DC event viewer while user still logged in

Spirit_US used Ask the Experts™
Hello, We in the middle of integrating our on premise AD to our SOPHOS firewall. We had to download the SOPHOS firewall plugin to connect to AD and server information. Apparently the app reads certain particular events that tell it if a users has logged in or logged out of his or her computer system and based on that consider the user active and therefore starts logging and allowing that AD user access to the internet.

Currently this is not working and the cause per SOPHOS Senior engineer is when the user signs in the event viewer we see ID 4624 pop up but right after we get an event 4634 stating a logoff and the following message...

"This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer"  

SOPHOS Engineer specifically said event ID 4634 is causing this issue.

It makes sense that 4634 may be causing issues since it says the user is logged off when in fact they just logged in but is that event ID 4634 a normal event across all servers or an issue I must fix?

-Currently only 1 domain controller
-Windows Server 2016
-About 60 Users
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Check same with an idle PC, login a user, try to have a clean startup profile.
If you see much less logged entries, it means it's probably by design that you get so many for active users. Think of users connecting to your Sharepoint, think of Outlook generating many login/logoff requests.
So if you already see the login/logoff events are correct for the idle user, start using only one added program at a time. So start Outlook, check eventlog for a while, the connect to Sharepoint, and slowly add one program at a t ime.
The moment you see the eventlog flooded again for this user, you know which program is causing it.
Sadly, after you find it out, like maybe Outlook, you will still have no answer, and there's not much you can do to influence this, because Outlook needs to login/logoff to work properly with your Exchange server.
Technical Specialist
Awarded 2017
Distinguished Expert 2018
It may be positively correlated with a logon event using the Logon ID value.
The need to correlate this message by logon ID and look for a logon event. If there is one, the session is still logged on.


Thank you

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial