5 Replies Latest reply on Feb 6, 2019 11:29 AM by sjesse

    Logon Monitor messages and no Session logging locally or remote

    vBritinUSA Novice

      Running

       

      Windows 10 1809 LTSC

       

      Horizon 7.7, UEM 9.6 & AV 2.15

       

       

      I am trying to use Logon Monitor to help resolve some login issues. I would like to push the logs to a remote server but at the moment I am not even able to generate the logs.

       

       

      I have set the service to Automatic and the services runs using "local system " and I see the vmlm.txt file with an up to date time stamp of the last login. When I look at the last entries of the file is see a lot of these messages.

       

       

      2019-02-04T15:10:05.425 TRACE (0de4-0e90) [LogonMonitor::RegisterEventSubscriber] Registered for Event: 4001

       

      2019-02-04T15:10:05.435 TRACE (0de4-0e90) [LogonMonitor::RegisterEventSubscriber] Registered for Event: 8001

       

      2019-02-04T15:10:05.435 TRACE (0de4-0e90) [LogonMonitor::RegisterEventSubscriber] Registered for Event: 8004

       

      2019-02-04T15:10:05.435 TRACE (0de4-0e90) [LogonMonitor::RegisterEventSubscriber] Registered for Event: 4016

       

      2019-02-04T15:10:05.445 TRACE (0de4-0e90) [LogonMonitor::RegisterEventSubscriber] Registered for Event: 5016

       

      2019-02-04T15:10:05.445 TRACE (0de4-0e90) [LogonMonitor::RegisterEventSubscriber] Registered for Event: 5326

       

      2019-02-04T15:10:05.453 TRACE (0de4-0e90) [LogonMonitor::RegisterEventSubscriber] Registered for Event: 5327

       

      2019-02-04T15:10:05.455 TRACE (0de4-0e90) [LogonMonitor::RegisterEventSubscriber] Registered for Event: 5314

       

      2019-02-04T15:10:05.465 TRACE (0de4-0e90) [LogonMonitor::RegisterEventSubscriber] Registered for Event: 1

       

      2019-02-04T15:10:05.496 TRACE (0de4-0e90) [LogonMonitor::RegisterEventSubscriber] Registered for Event: 2

       

      2019-02-04T15:10:05.506 TRACE (0de4-0e90) [LogonMonitor::RegisterEventSubscriber] Registered for Event: 6

       

      2019-02-04T15:10:05.516 TRACE (0de4-0e90) [LogonMonitor::RegisterEventSubscriber] Registered for Event: 7

       

      2019-02-04T15:10:05.516 TRACE (0de4-0e90) [LogonMonitor::RegisterEventSubscriber] Registered for Event: 5

       

      2019-02-04T15:10:05.567 TRACE (0de4-0e90) [LogonMonitor::RegisterEventSubscriber] Registered for Event: 1000

       

      2019-02-04T15:10:05.607 TRACE (0de4-0e90) [LogonMonitor::RegisterEventSubscriber] Registered for Event: 1001

       

      2019-02-04T15:10:05.607 INFO (0de4-0e90) [LogonMonitor::StartEventLogNotifications] Started Event Log Notifications

       

      2019-02-04T15:10:05.607 TRACE (0de4-0e90) [LogonMonitor::Start] LogonMonitor: Started

       

      2019-02-04T15:10:05.678 TRACE (0de4-0e90) [CServiceModule::Run] Started Winlogon Notification Server

       

      2019-02-04T15:10:06.202 TRACE (0de4-1254) [LogonMonitor::ProcessGroupPolicyEvent] Failed to find Session for User PolicyEvent Id: 5326, ActivityID: {E22C3545-AE54-4D8F-8DBE-F8D4D5DAF92A}, Account:

       

      2019-02-04T15:10:07.230 TRACE (0de4-1254) [LogonMonitor::ProcessGroupPolicyEvent] Failed to find Session for User PolicyEvent Id: 5016, ActivityID: {E22C3545-AE54-4D8F-8DBE-F8D4D5DAF92A}, Account:

       

      2019-02-04T15:10:07.230 TRACE (0de4-1254) [LogonMonitor::ProcessGroupPolicyEvent] Failed to find Session for User PolicyEvent Id: 4016, ActivityID: {E22C3545-AE54-4D8F-8DBE-F8D4D5DAF92A}, Account:

       

      2019-02-04T15:10:07.230 TRACE (0de4-1254) [LogonMonitor::ProcessGroupPolicyEvent] Failed to find Session for User PolicyEvent Id: 5327, ActivityID: {E22C3545-AE54-4D8F-8DBE-F8D4D5DAF92A}, Account:

       

      2019-02-04T15:10:07.230 TRACE (0de4-126c) [LogonMonitor::ProcessGroupPolicyEvent] Failed to find Session for User PolicyEvent Id: 5314, ActivityID: {E22C3545-AE54-4D8F-8DBE-F8D4D5DAF92A}, Account:

       

      2019-02-04T15:34:49.585 TRACE (0de4-0bc0) [LogonMonitor::ProcessLogonEvent] Failed to find (or could not uniquely matched) Session for Profile Event 1

       

      2019-02-04T15:34:49.585 TRACE (0de4-0bc0) [LogonMonitor::ProcessLogonEvent] Failed to find (or could not uniquely matched) Session for Profile Event 5

       

      2019-02-04T15:34:49.585 TRACE (0de4-0bc0) [LogonMonitor::ProcessLogonEvent] Failed to find (or could not uniquely matched) Session for Profile Event 7

       

      2019-02-04T15:34:49.585 TRACE (0de4-0bc0) [LogonMonitor::ProcessLogonEvent] Failed to find (or could not uniquely matched) Session for Profile Event 6

       

      2019-02-04T15:34:49.585 TRACE (0de4-0bc0) [LogonMonitor::ProcessLogonEvent] Failed to find (or could not uniquely matched) Session for Profile Event 5

       

      2019-02-04T15:34:49.610 TRACE (0de4-0bc0) [LogonMonitor::ProcessLogonEvent] Failed to find (or could not uniquely matched) Session for Profile Event 2

       

      2019-02-04T15:34:50.174 TRACE (0de4-0bc0) [LogonMonitor::ProcessGroupPolicyEvent] Failed to find Session for User PolicyEvent Id: 4001, ActivityID: {CCB625D0-089D-4119-A381-35F38781F813}, Account: domain\billybob

       

      2019-02-04T15:34:50.174 TRACE (0de4-0bc0) [LogonMonitor::ProcessGroupPolicyEvent] Failed to find Session for User PolicyEvent Id: 5326, ActivityID: {CCB625D0-089D-4119-A381-35F38781F813}, Account:

       

      2019-02-04T15:34:51.294 TRACE (0de4-0bc0) [LogonMonitor::ProcessGroupPolicyEvent] Failed to find Session for User PolicyEvent Id: 5016, ActivityID: {CCB625D0-089D-4119-A381-35F38781F813}, Account:

       

      2019-02-04T15:34:51.294 TRACE (0de4-0bc0) [LogonMonitor::ProcessGroupPolicyEvent] Failed to find Session for User PolicyEvent Id: 4016, ActivityID: {CCB625D0-089D-4119-A381-35F38781F813}, Account:

       

      2019-02-04T15:34:51.294 TRACE (0de4-0bc0) [LogonMonitor::ProcessGroupPolicyEvent] Failed to find Session for User PolicyEvent Id: 5327, ActivityID: {CCB625D0-089D-4119-A381-35F38781F813}, Account:

       

      2019-02-04T15:34:51.294 TRACE (0de4-1030) [LogonMonitor::ProcessGroupPolicyEvent] Failed to find Session for User PolicyEvent Id: 5314, ActivityID: {CCB625D0-089D-4119-A381-35F38781F813}, Account:

       

      2019-02-04T15:34:51.294 TRACE (0de4-0bc0) [LogonMonitor::ProcessGroupPolicyEvent] Failed to find Session for User PolicyEvent Id: 4016, ActivityID: {CCB625D0-089D-4119-A381-35F38781F813}, Account:

       

      2019-02-04T15:34:53.829 TRACE (0de4-0bc0) [LogonMonitor::ProcessGroupPolicyEvent] Failed to find Session for User PolicyEvent Id: 8001, ActivityID: {CCB625D0-089D-4119-A381-35F38781F813}, Account: domain\billybob

       

      2019-02-04T15:34:53.829 TRACE (0de4-0bc0) [LogonMonitor::ProcessGroupPolicyEvent] Failed to find Session for User PolicyEvent Id: 5016, ActivityID: {CCB625D0-089D-4119-A381-35F38781F813}, Account:

       

      2019-02-04T15:34:53.834 TRACE (0de4-0bc0) [LogonMonitor::ProcessGroupPolicyEvent] Failed to find Session for User PolicyEvent Id: 5016, ActivityID: {CCB625D0-089D-4119-A381-35F38781F813}, Account:

       

      2019-02-04T15:34:53.834 TRACE (0de4-1030) [LogonMonitor::ProcessGroupPolicyEvent] Failed to find Session for User PolicyEvent Id: 4016, ActivityID: {CCB625D0-089D-4119-A381-35F38781F813}, Account:

       

       

      The other part to this is the vmlm_session file is not being created, just the vmlm.txt. That I can not figure out also.

       

       

      I have the registry set to remote path to  \\server\domain.com\LogonMonitor$\%username%.%userdomain%

      flag - 0x8 was 0x3 and still nothing.

       

       

      the server has following.

       

      Share - Domain Users - Full Control

       

      NTFS - Domain Users - Full Control

       

       

      Overkill I know, once its working I will work backward to lock down.

       

       

      Thanks in advance.