1 of 1 people found this helpful
If all you want is a simple log on and log off then these two IDs should work fine. 4624 is your logon Id and 4634 is your logoff.
If you have windows event log forwarder configured to forward event viewer>security logs then all you need to do is build a filter on the syslog server or web access. If you don't have it configured already you can try this. In event log forwarder you can select event viewer and check security. Then you can add the two above event ID's in the include or exclude field.
I would build a RegExp filter to get a specific report and email alert for this event. Build the filter with the event IDs in the include field. Add the username to the and field. This should only show you logons and logoffs from the user ID you are looking for. You can also add the IPs of the servers but i wouldn't limit it to just IPs. I would want to know anytime the domain admin account logs on.
The include field in the filter would look like this "\b4624\b" "\b4634\b". The \b will make sure that the event ID is matched exactly.
The and field would look like this "username". Just add more users names if you have more than one domain admin.