Re: Monitoring security event logs

[TheGesus <thegesus () gmail com>]

http://support.microsoft.com/kb/174073

I absolutely refuse to make the standard "Google is your friend" remark.

Ooops.

On 21 Jan 2007 19:27:12 -0000, g () 27 eclipse co uk <g () 27 eclipse co uk> wrote:
> Hi all,
>
> I am monitoring the logoff and logon event logs for some machines in my domain. I notice that for one single logon there are multiple 
> successful logons, in the event log. Sometimes the logon process is either or both "advapi" and "user32" Does anyone 
> know the difference between these?
>
> I try to pair the Logon ID's for each sesssion to calculate logon times, and I notice on some occasions that the 
> logon/logoff ID is the same, but parts of it, have capitalisation. Does anyone know why? Also some logon ID's seem to not a 
> logoff ID pair? (even though the user has logged off) Does anyone know why?
>
> Thanks in advance,