KBI 310511 Empty Logon/Logoff Reports In Argent for Compliance


Argent for Compliance — all versions


11 Jun 2013


Customer archives Windows security logs from Domain Controllers, but all the Logon/Logoff reports turn out blank.

Technical Background

The customer may attempt to use domain accounts to log onto all servers and workstations. The customer may continue to archive Windows event logs from the Domain Controller, and expect to see all the Logon/Logoff activities — but this does not work.

Logon and authentication are two different concepts.

When the customer uses a domain account — yes, the Domain Controller AUTHENTICATES the logon account, but the logon process happens on the machine that customer logs onto, NOT the Domain Controller.

As a result, the Logon/Logoff events are present only in the machine that the customer logs onto only.


This is normal behavior.

In order to generate the Logon/Logoff reports, customers must do the following:

1. Audit the Logon/Logoff events in Domain Group Policy.

2. Archive Windows Security Logs from the servers and workstations, not just the Domain Controller