User Logoff
User Name: %1 Domain: %2
Logon ID: %3 Logon Type: %4.
Ostensibly, event 538 is logged whenever a user logs
off, whether from a network connection, interactive logon, or other
logon type. However, this event is not dependably
logged, for a variety of reasons. In a nutshell, there is no way
to reliably track user logoff events in the Windows environment.
Note: Beginning with Windows Server 2003, logoffs of logon type 2 sessions are
logged with event 551.
For network connections (such as to a file server), it will
appear that users log on and off many times a day. This phenomenon
is caused by the way the Server service terminates idle connections.
If a user turns off his/her computer, Windows does not have an
opportunity to log the logoff event until the system restarts.
Therefore, some logoff events are logged much later than the time at which they actually occur.
Sometimes Windows simply doesn't log event 538.
Microsoft's comments:
This event does not necessarily indicate the time that a user has stopped using a system. For example, if the computer is shut down or loses network connectivity it may not record a logoff event at all.
