Strange behaviour with 4624 and 4634 EventID
Tags:
#1
benno
I'm trying to collect EventID 4624 and 4634 for Logon Type 10, to store RDP access to my 2 Domain Controllers.
- same Windows version (2012 R2)
- same audit config in windows
- same NXlog version installed (community edition)
- same nxlog.conf file
My issue:
- from DC 1 I'm getting both 4624 and 4634
- from DC 2 I'm getting only 4634 :(
Additional info:
- in windows Event Viewer I have my 4624 in DC2 ...
- reinstalled nxlog
- rebooted my DC
- DEBUG level in nxlog but no evidence of problem
Thx a lot for your support, Benno
#1
benno
I'm trying to collect EventID 4624 and 4634 for Logon Type 10, to store RDP access to my 2 Domain Controllers.
same Windows version (2012 R2)
same audit config in windows
same NXlog version installed (community edition)
same nxlog.conf file
My issue:
from DC 1 I'm getting both 4624 and 4634
from DC 2 I'm getting only 4634 :(
Additional info:
in windows Event Viewer I have my 4624 in DC2 ...
reinstalled nxlog
rebooted my DC
DEBUG level in nxlog but no evidence of problem
Thx a lot for your support,
Benno
Greetings,
If it is working for one and not the other, that usually means it is not an issue with NXLog or the conf file. Can you share your sanitized configuration file and I can look it over?
~Seth S.
