Submit a ticketCall us

Systems Monitoring for Dummies
Our new eBook will teach you the fundamentals and help you create monitors and alerts that are effective, meaningful, and actionable. Monitoring is more than a checkbox on your to-do list. This free eBook will give you practical advice to help you succeed in all aspects of monitoring – discovery, alerting, remediation, and troubleshooting. Don’t miss out on this indispensable resource for newbies, experienced IT pros, and everyone in between. Register Now.

Home > Success Center > Log & Event Manager (LEM) > Unable to log Windows Interactive Logon events

Unable to log Windows Interactive Logon events

Updated March 11th, 2016

Overview

This article provides brief information and steps to resolve the issue when you are unable to find any interactive Logon events for your Windows host. 

Other UserLogon events are visible, but not interactive Logon. 

 

 

Environment

All LEM versions

 

Cause 

Interactive logon events only exist on the computer that recorded the logon, typically just your PC/laptop. The same would apply to logging into any Windows server. Windows logs on a domain controller do not include the interactive logon events, unless you are logging directly into the domain controller (at the keyboard or RDP session). The domain controller acknowledges a "network" login from a users PC/laptop or server.

 

Resolution

In order to log Interactive Logon events from your workstations, you must meet the following conditions:

  • The LEM Agent is installed on the workstations and servers you want to monitor, not just the domain controller(s).
  • The group policy applied to your workstations (most likely the Default Domain Policy) is configured to monitor user logon events.

 

If the above conditions are true, you should be able to locate Interactive Logon events in nDepth by searching for the following conditions:

 

UserLogon.LogonType = Windows: Interactive

 

OR

 

User.LogonType = Windows: Remote Interactive Logon

 

For additional information, see Audit logon events from the Microsoft website. 

 

 

Last modified

Tags

Classifications

Public