This content has been marked as final. Show 2 replies
I am pulling Windows events 4624 from a 2012 R2 Domain Controller using the WMI receiver. When I look at the Logon_Type field, I see it is not populated for all events. First I thought it may be due to aggregation but even when the Event Count is 1 this field may be empty. I couldn't figure out the logic when it's populated and when not.
Furthermore, when I query for a specific Logon_Type value I am getting events in which this field is empty. See screenshot.
I am running ESM 9.4.2
Any insight would be much appreciated.