I'm trying to write a service that will sit on the domain controller (or, if
this proves to be impossible, to be rolled to all connecting Windows
machines).
It needs to get notification of each logon and logoff, capturing username &
IP address. I've currently got a test application to check the inputs &
outputs and the business logic is using EventLog_OnEntryWritten to trap 538's
& 540's. Unfortunately (and peculiarly) a physical logon logs multiple logon
and logoff events, and a logoff does the same (albeit only a few extras).
Since each one triggers an event in the logic, part of which records the
state, the user can be (after logon) in either a state of logged on or logged
off.
Does anybody have a definitive method for capturing logon & logoff events?