Note: Logon Auditing is only available in Pro, Ultimate and Enterprise versions of Windows 8.
What is Logon Auditing
Logon Auditing is a built-in Windows Group Policy Setting which enables a Windows admin to log and audit each instance of user login and log off activities on a local computer or over a network. Along with log in and log off event tacking, this feature is also capable of tracking any failed attempts to log in. This is particularly helpful in determining and analyzing any attacks on your Windows machine.
Enable Logon Auditing
To enable Logon Auditing, we need to configure Windows Group Policy settings. Press “Win + R”, type gpedit.msc and press the Enter button to open Windows Group Policy Editor.
Once you are in the Group Policy Editor, navigate to “Computer Configuration -> Windows Settings -> Security Settings -> Local Policies” and then select “Audit Policy” in the left pane.
The above action will show you some policies on the right pane. Here double click on “Audit logon events” policy to open it. Please don’t confuse “Audit logon events” with “Audit account logon events” as it is a setting for a completely different purpose.
Once the Window is opened, select both the check boxes “Success” and “Failure.” Now click on the “Apply” and “Ok” buttons to save the changes.
That’s all there is to do. From this point forward, every log in, log off and failed log in attempts will be logged in the Event Viewer as events.
View Logon Audit Events
You can view all the log in, log off and failed log in attempt events in the Windows Event Viewer. You can launch the Event Viewer by searching in the start menu. If you are using Windows 8, you can launch the same using the Power User menu (Win + X).
Once you have launched the Event Viewer, navigate to Windows Logs and then to the Security tab.
Here you will find all the security related events that happened in your Windows system. If you double click on the keyword “Audit Success,” you will find out the details like the user that has been logged in or logged out, time stamp, etc. As a tip, you can filter down the event logs using “Event ID” or “Task Category.” As you can see from the below image, Logon Auditing also tracks any failed login attempts.
That’s all there is to do, and it is that simple to track user logins in your Windows system. Hopefully that helps, and do comment below if you face any problems while enabling the Logon Auditing feature in Windows.