To capture the interactive logon, you do need an agent on their workstation, and the audit account logon audit policies enabled on that system. If you're seeing it in the event log and there's an agent installed, just make sure you also have the right security log connector enabled (it will try to choose the right one on install).
If you can't have an agent on the workstation, you might have to monitor your DCs for their network logons, but these will happen pretty much constantly while they are logged in, so we might have to do something like refine the timeframe or build clever lists that try to track their first logon time. Might be some manual labor involved with that route.
If you're going the agent route, are you seeing the interactive logons in the security log on those systems themselves? (If not, probably a policy issue.)
If you're seeing them in the security log, we can troubleshoot and figure out the LEM side.
It was not logging user logons on DC, as they have a separate policy from the rest of the network.