cancel
Showing results for 
Search instead for 
Did you mean: 

Missing Fields in Windows Event 4624

I am pulling Windows events 4624 from a 2012 R2 Domain Controller using the WMI receiver. When I look at the Logon_Type field, I see it is not populated for all events. First I thought it may be due to aggregation but even when the Event Count is 1 this field may be empty. I couldn't figure out the logic when it's populated and when not.

Furthermore, when I query for a specific Logon_Type value I am getting events in which this field is empty. See screenshot.

I am running ESM 9.4.2

Any insight would be much appreciated.

Thanks,

Doron

2 Replies

Re: Missing Fields in Windows Event 4624

dkeller,

How are your domain controller data sources configured? Are they configured like the picture below:

DC_Config.PNG

Re: Missing Fields in Windows Event 4624

Hi ,

I have the same issue with Doron Keller. My configuration is same as you attached.

Not only Logon_Type, Logon_id is missing too.

Thanks,

Cecilia