I see in netwrix Auditor/ Reports/ Active Directory/Logon Activity/‘All Logon Activity’ and this works well and shows all logons, successful and failed. but what I don’t see is Logoff activity? where is the reporting for Logoff activity? it is there for domain controllers, but not for user stations.
Hey Ray! Welcome to the Netwrix Community! Unfortunately, logoff activity from workstations is not reported. A list of actions captured by Netwrix Auditor’s Logon Activity data source can be found at the bottom of this HelpCenter doc: https://helpcenter.netwrix.com/bundle/Auditor_10.7/page/Content/Auditor/Configuration/LogonActivity/Overview.htm
1 Like
Hi Ray,
As Tay mentions, the activity collected for Logons via Active Directory are only the successful logons or the failures,
However, you can capture the logon activity information from the endpoints by using the tool Event Log Manager, this is included in the license for the module Windows Server, it sits outside the main application and you will locate it in the start menu where Netwrix Auditor was deployed, here is a link that explains how to configure Event Log Manager. If configuring, don’t forget to send the events to Netwrix Auditor for reporting.
Another alternative also included in the Windows Server license, is the module User Activity Video Recorder or UAVR, this can be deployed to the Windows endpoints and captures metadata like logon/logoff etc. and everything else in between, (video recording can be switched off), you will also have a report that will provide a summary of the users total session time.
Regards,
Russell
Thanks Tay, I will check into pulling logoff events from the users station.
Ray.