Submit a ticketCall us

Training Class Getting Started with SolarWinds Backup - February 28

This course offers customers an introduction to SolarWinds Backup, focusing on configuring the backup technology, taking backups, data restoration and data security. It is a great primer and will get you up to speed quickly on SolarWinds Backup.
Register for class.

Home > Success Center > Log & Event Manager (LEM) > Unable to log Windows Interactive Logon events

Unable to log Windows Interactive Logon events

Updated March 11th, 2016


This article provides brief information and steps to resolve the issue when you are unable to find any interactive Logon events for your Windows host. 

Other UserLogon events are visible, but not interactive Logon. 




All LEM versions



Interactive logon events only exist on the computer that recorded the logon, typically just your PC/laptop. The same would apply to logging into any Windows server. Windows logs on a domain controller do not include the interactive logon events, unless you are logging directly into the domain controller (at the keyboard or RDP session). The domain controller acknowledges a "network" login from a users PC/laptop or server.



In order to log Interactive Logon events from your workstations, you must meet the following conditions:

  • The LEM Agent is installed on the workstations and servers you want to monitor, not just the domain controller(s).
  • The group policy applied to your workstations (most likely the Default Domain Policy) is configured to monitor user logon events.


If the above conditions are true, you should be able to locate Interactive Logon events in nDepth by searching for the following conditions:


UserLogon.LogonType = Windows: Interactive




User.LogonType = Windows: Remote Interactive Logon


For additional information, see Audit logon events from the Microsoft website. 



Last modified