Client Management Suite

Using some example queries and my own troubleshooting it appears some events are being missed.
I can query all the events for a specific GUID. In the example below these are the only 4 events on the machine.  Yet, someone else is currently logged in. I never got the logon event.

• Does Evt_AeX_Client_LogOn get populated when someone logs in via RDP instead of the local console?
• Does Evt_AeX_Client_LogOn support user switching?  In this case I think the person logged in logged in after DOMAIN\greg by doing a "Switch User"

The answers to you questions are all Yes, plus multiple sessions on server OS-es are also supported.
If you're sure that sql query is correct and that your NS does not drop or slowly processes NSE events, then please collect the agent side logs for the time period when undocumented 'logon' occurred. There should be some evidence about user switching and NSE posting.
Original Message:
Sent: 07-22-2021 11:32 AM
From: Greg Zielinski
Subject: Evt_AeX_Client_LogOn appears to be missing events.

Using some example queries and my own troubleshooting it appears some events are being missed.
I can query all the events for a specific GUID. In the example below these are the only 4 events on the machine.  Yet, someone else is currently logged in. I never got the logon event.

• Does Evt_AeX_Client_LogOn get populated when someone logs in via RDP instead of the local console?
• Does Evt_AeX_Client_LogOn support user switching?  In this case I think the person logged in logged in after DOMAIN\greg by doing a "Switch User"