Audit Logoff

Applies to

  • Windows 10
  • Windows Server 2016

Audit Logoff determines whether the operating system generates audit events when logon sessions are terminated.

These events occur on the computer that was accessed. In the case of an interactive logon, these events are generated on the computer that was logged on to.

There is no failure event in this subcategory because failed logoffs (such as when a system abruptly shuts down) do not generate an audit record.

Logon events are essential to understanding user activity and detecting potential attacks. Logoff events are not 100 percent reliable. For example, the computer can be turned off without a proper logoff and shutdown; in this case, a logoff event is not generated.

Event volume: Low.

This subcategory allows you to audit events generated by the closing of a logon session. These events occur on the computer that was accessed. For an interactive logoff the security audit event is generated on the computer that the user account logged on to.

Computer Type General Success General Failure Stronger Success Stronger Failure Comments
Domain Controller No No Yes No This subcategory typically generates huge amount of “4634(S): An account was logged off.” events which, typically has little security relevance. It is more important to audit Logon events using Audit Logon subcategory, rather than Logoff events.
Enable Success audit if you want to track, for example, for how long session was active (in correlation with Audit Logon events) and when user actually logged off.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.
Member Server No No Yes No This subcategory typically generates huge amount of “4634(S): An account was logged off.” events which, typically has little security relevance. It is more important to audit Logon events using Audit Logon subcategory, rather than Logoff events.
Enable Success audit if you want to track, for example, for how long session was active (in correlation with Audit Logon events) and when user actually logged off.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.
Workstation No No Yes No This subcategory typically generates huge amount of “4634(S): An account was logged off.” events which, typically has little security relevance. It is more important to audit Logon events using Audit Logon subcategory, rather than Logoff events.
Enable Success audit if you want to track, for example, for how long session was active (in correlation with Audit Logon events) and when user actually logged off.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.

Events List:

  • 4634(S): An account was logged off.

  • 4647(S): User initiated logoff.