Interactive Logon/Logoff Filter

Interactive Logon/Logoff Filter

Created 2005-10-05 by Timm Herget

Please Note: This article is valid for EventReporter 8.x / MWAgent 4.x and lower and describes, how to set the filters to get only interactive logon’s/logoff’s.

Click on your “Filter Conditions”. Here we have a little problem, because it depends on your operating system. If you work with Windows XP/2003 you should set the filters as shown on “Screenshot A” of our screenshots below. If you are using an older operating system, you should choose “Screenshot B”. This is because of a bug in Windows.

If a user logs on to windows interactive, event 528 with logon type 2 is logged.
Ostensibly, event 538 is logged whenever a user logs off, whether from a network connection, interactive logon, or other logon type. However, this event is not dependably logged, for a variety of reasons. In a nutshell, there is no way to reliably track user logoff events in the Windows environment. An interactive logoff is marked by logon type 2, too.

For further information about the issue with event 538 see this page.

Note: Beginning with Windows Server 2003, logoffs of logon type 2 sessions are logged with event 551.

Screenshot A: Set the Filters for WinXP/2003

Screenshot B: Set the Filters for older Windows
Click here to download a ZIP-Package with the samples as registry files. The ZIP-Package contains 4 files. Two files are version A and B for EventReporter and the other two files are version A and B for MonitorWare Agent.