Event Details
Operating System->InTrust Superior logon/logoff events->EventID 111 - User session was started while monitoring service was not running.
EventID 111 - User session was started while monitoring service was not running.
A user session was started on computer %Where% by user %IS1% before the start of the user session monitoring service. This session was detected at %IS13%.
 Sample:

                                
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: InTrust User Session Tracking
Filtering Field Equals to Value
EventId 111
Field Matching
FieldDescriptionStored inSample Value
DateTime Date/Time of event origination in GMT format. -
Source Name of an Application or System Service originating the event. -
Type Warning, Information, Error, Success, Failure, etc. -
User Domain\Account name of user/service/computer initiating event. -
Computer Name of server workstation where event was logged. -
EventID Numerical ID of event. Unique within one Event Source. -
Description The entire unparsed event message. -
Log Name The name of the event log (e.g. Application, Security, System, etc.) -
User Name User name. -
Domain Name Domain name. -
DNS Domain Name DNS domain name. InsertionString4
User's SID User's SID. InsertionString5
LUID - Session Logon LUID - session logon. InsertionString6
Terminal Services Session ID Terminal Services session ID. InsertionString7
Logon Type Logon type. InsertionString9
Source Workstation Source display name. InsertionString10
Source Network Address Source network address. InsertionString11
Start Time Start time (yyyy-MM-dd HH:mm:ss). InsertionString13
Comments
You must be logged in to comment