Submit a ticketCall us

Don’t fall victim to a ransomware attack
Backups are helpful, but sometimes that’s not enough to protect your business against ransomware. At our live webcast we will discuss how to protect against ransomware attacks with SolarWinds® Patch Manager and how to leverage log data to detect ransomware. Register now for our live webcast.

Home > Success Center > Log & Event Manager (LEM) > Unable to log Windows Interactive Logon events

Unable to log Windows Interactive Logon events

Updated March 11th, 2016

Overview

This article provides brief information and steps to resolve the issue when you are unable to find any interactive Logon events for your Windows host. 

Other UserLogon events are visible, but not interactive Logon. 

 

 

Environment

All LEM versions

 

Cause 

Interactive logon events only exist on the computer that recorded the logon, typically just your PC/laptop. The same would apply to logging into any Windows server. Windows logs on a domain controller do not include the interactive logon events, unless you are logging directly into the domain controller (at the keyboard or RDP session). The domain controller acknowledges a "network" login from a users PC/laptop or server.

 

Resolution

In order to log Interactive Logon events from your workstations, you must meet the following conditions:

  • The LEM Agent is installed on the workstations and servers you want to monitor, not just the domain controller(s).
  • The group policy applied to your workstations (most likely the Default Domain Policy) is configured to monitor user logon events.

 

If the above conditions are true, you should be able to locate Interactive Logon events in nDepth by searching for the following conditions:

 

UserLogon.LogonType = Windows: Interactive

 

OR

 

User.LogonType = Windows: Remote Interactive Logon

 

For additional information, see Audit logon events from the Microsoft website. 

 

 

Last modified
08:26, 4 May 2017

Tags

Classifications

Public