To log these events you must either enable this entire category using the
Audit logon events policy or you can enable any of the subcategories below using the
auditpol command.
About this category
Following is an excerpt from: The Windows Server 2003 Security Log Revealed.
Whether a user logs on by using a local SAM account or a domain account, the Logon/Logoff category records the attempt on the system to which the user tries to log on. When the user logs on to a workstation’s console, the workstation records a Logon/Logoff event. When you access a Windows server on the network, the relevant Logon/Logoff events appear in the server’s Security log. So, although account logon events associated with domain accounts are centralized on DCs, Logon/Logoff events are found on every system in the domain.
Logon/Logoff events aren’t a good option for tracking domain account authentication or for detecting attempts to access computers by using local SAM accounts. However, they do provide some information not available otherwise. First and foremost, Logon/Logoff events on a given system give you a complete record of all attempts to access that computer, regardless of the type of account used. Second, these events reveal the type of logon, which you can’t determine from
Account Logon events. Ostensibly, this category should also provide the ability to track the logon session itself, identifying not just the logon event but also the logoff. Unfortunately, the value of logoff events is questionable at best. Logon/Logoff events also provide the IP address of the client computer, which is useful information for NTLM-based logons because NTLM Account Logon events doesn’t provide the IP address. Finally, the Logon/Logoff category provides two event IDs specific to Terminal Services activity.