Hi Guys,

I have only just noticed that Logoff events from a windows source do not
include the IP or hostname of the server where they are executed. Most
other events do have this information from the same host, I had a look
at the collector and couldn't spot anything obvious. Anyway looking a
bit further into it, it appears that Windows itself (certainly the
windows 7 event source I am using) doesn't record the computer name or
ip in log off events but it does on say a login event. How strange?!

Ok so I guess there are some things I could do around looking to see
where the user had previously logged on etc. I am wondering what other
people have done with these events in the past? Is there something that
can be changed on the windows side to start recording source IP or
source computer name etc for these event types?

I was just looking about when I spotted this, but seems odd Microsoft
omit these details from the logoff event. There is a picture of a login
and logoff event from my test setup here: [image:

Quick description of the test environment that I spotted this in:

* Sentinel 7.0.2
* Windows Server 2008R2 DC and WECS server
* Windows 7 Event source.
* Latest collector and connector for Windows (Jan 2013 collector tried
older collector first)

alanforrest's Profile: https://forums.netiq.com/member.php?userid=363
View this thread: https://forums.netiq.com/showthread.php?t=46661