Does anybody use Microsoft LogParser on their 2003 server? I am looking to use this program to find out when a user login via remote desktop and when they logoff. I have found that in Event Viewer the EventID of user login/logoff is 528 or 538. The only thing is that there are multiple logoffs in a row (with the same time for the same user) or the user logs in then out again at the same time right down to the second.
This is the query I was running then importing that data into a database to view/analyze the data:
TimeGenerated AS LogTime,
STRCAT(STRCAT(EXTRACT_TOKEN (Strings, 1, '|'), '\\'), EXTRACT_TOKEN(Strings, 0, '|')) AS Username
\\[computer name here]\Security
EventID IN (528; 538)
EventCategoryName = 'Logon/Logoff'