Excessive audit account logged on/off events

Products Auditor Discussions & Questions
,
1

I’m in the process of evaluating Netwrix Auditor. After setting up the basic AD monitoring plan using a domain admin service account, I’ve noticed what I believe to be an excessive amount of various account logged on/off and related events - about 400k in 24 hours. This nearly doubled the total number of such events for my entire company of about 80 users. This also compares rather unfavorably to the about ~16k of similar events for the auditing account used by Manage Engine’s AD Audit Plus. Is anyone else experiencing this? I pretty much did the default config for setting it up.

2

Hi Orion,

Reading what you describe sounds like it could be that you have enabled the collection of ‘Successful Non-Interactive Logons’ in the monitoring plan.

The image displays a settings panel for monitoring logon activity, highlighting an unchecked option to "Include successful non-interactive logons" within an auditing configuration. (Captioned by AI)
The image displays a settings panel for monitoring logon activity, highlighting an unchecked option to "Include successful non-interactive logons" within an auditing configuration. (Captioned by AI)995×437 12.8 KB

By default this setting is off as it can create an excessive amount of activity or (noise) if these logons are not required.

To verify this setting, edit your associated monitoring plan then edit the data source.

Regards,
Russell

3

Thanks for the reply. However, I don’t see that option - and again I simply setup the plan with default settings. Here is what I see:

The image displays a user interface for managing Active Directory monitoring settings, including options for data collection, audit configurations, and access reviews. (Captioned by AI)
The image displays a user interface for managing Active Directory monitoring settings, including options for data collection, audit configurations, and access reviews. (Captioned by AI)984×873 25.6 KB

4

Hi Orion,

That one would be for your AD, do you have a data source setup for the Logon Activity?

image
image542×142 2 KB

You may have set this up under one plan or you would have created a separate plan which also would be the recommended setup.

Regards,
Russell

5

No, the only data source I have is Active Directory.

6

OK, so as you only have the AD monitoring setup i can only at this point guess you are seeing the logon/logoff to DC’s?

Would you be able to provide an example of what it is and the report you are using for a bit more clarity around the event to better diagnose?

Typically the logons would be collected via the logon activity data source.

7

We collect our windows event logs into OpenSearch. Since installing AD Audit Plus and enabling the AD plan we are seeing lots of logon/off related events for the user configured for audit monitoring. Here is an example for a 24 hour period:

The image displays a log of security events from May 11 to May 12, 2025, highlighting various account activities, such as logins, logoffs, and authentication requests. (Captioned by AI)
The image displays a log of security events from May 11 to May 12, 2025, highlighting various account activities, such as logins, logoffs, and authentication requests. (Captioned by AI)1543×1172 134 KB

This works out to an average of a logon/offs for the audit user every 3 seconds on each of the DCs. This seems excessive. Why not keep sessions open persistently?