Hello Team,
I am forwarding all security events to Splunk (from DC), and tracking logon(4624) vs logoff(4634) events and noticed that sometimes i do see a logoff event just a second after i do logon via RDP (and in such case i do never receive logon event).
As a result i do see more 4634 logoff events then logon (4624).
Moreover i do see logoff events with id for which logon event does not exist (and as per documentation it should).
That is happening randomly, but for a large part of my RDP sessions, for the rest i do have correct logon and logoff events.
That is not user dependant - the same user sometimes send right logon+logoff pair, sometimes only logoff.
Windows 2012R2. Could you please help me ? Is it a bug ?
Thanks,
Michal