2 Replies Latest reply on Aug 7, 2015 2:52 AM by ceciliax

    Missing Fields in Windows Event 4624

    dkeller

      I am pulling Windows events 4624 from a 2012 R2 Domain Controller using the WMI receiver. When I look at the Logon_Type field, I see it is not populated for all events. First I thought it may be due to aggregation but even when the Event Count is 1 this field may be empty. I couldn't figure out the logic when it's populated and when not.

       

      Furthermore, when I query for a specific Logon_Type value I am getting events in which this field is empty. See screenshot.

       

      I am running ESM 9.4.2

       

      Any insight would be much appreciated.

       

      Thanks,

      Doron