Windows Event Collector generates multiple logon/logoff events in Windows Security Logs.
The Windows Event Collector sensor performs a logon operation for each individual log type. So if Application, Security and System logs are monitored then three logons will be performed.
Additionally, a logon operation error may occur if a session to the remote computer is already opened, which causes additional logon/logoff events because the active session must be closed, then the sensor attempts to logon again.
As a result in some circumstances 3 logon and 3 logoff events will be generated for 3 standard log types.
Also there may be extra events related to privileges being granted, etc.
Imported Document ID: TECH122724
Subscribing will provide email updates when this Article is updated. Login is required.