Version

Argent for Compliance — all versions

Date

11 Jun 2013

Summary

Customer archives Windows security logs from Domain Controllers, but all the Logon/Logoff reports turn out blank.

Technical Background

The customer may attempt to use domain accounts to log onto all servers and workstations. The customer may continue to archive Windows event logs from the Domain Controller, and expect to see all the Logon/Logoff activities — but this does not work.

Logon and authentication are two different concepts.

When the customer uses a domain account — yes, the Domain Controller AUTHENTICATES the logon account, but the logon process happens on the machine that customer logs onto, NOT the Domain Controller.

As a result, the Logon/Logoff events are present only in the machine that the customer logs onto only.

Resolution

This is normal behavior.

In order to generate the Logon/Logoff reports, customers must do the following:

1. Audit the Logon/Logoff events in Domain Group Policy.

2. Archive Windows Security Logs from the servers and workstations, not just the Domain Controller