In the event the Logon Audit Report fails to display an entry, several steps can be taken to determine the cause.  These steps are listed here, in order of likelihood.


There are two methods by which you can access existing logon reporting data.  The first step is to use a dataview to confirm data is coming into the Automate server.  Right-click the target Client/Location or Computer and select Dataviews -> ThirdWallV2 -> ThirdWall User Logon Audit.  This will cause a new window to open and will display all raw data pulled from the selected target.


Check that data.  Ensure that all expected computers are reporting in, they have reported in recently and that the data is logical.  That is, Logon events correspond with a Logoff event; that Screen Lock events corresponds with a Screen Unlock event.  To print reports, this logical associations don't need to exist perfectly but they can't be overly skewed either.


Conditions which can cause reporting failures

  • Has a policy exception been applied to the computer?  The Logon Reporting policy will automatically block reporting (using standard exceptions) if an excessive amount of logon failure events are read.
  • The Logon Reporting policy supports only Local and Domain user accounts.  It will not accurately describe logon events for Microsoft Accounts.
  • Is the 'TW - Logon Reporting' monitor assigned to the computer? 


Don't forget

  • Are there any open 'TW - Logon Reporting' tickets in the system?
  • Are there any open 'TW - Log Logon Events' tickets in the system? 


Remediation

  • If a ticket is discovered, very often it will describe the cause of the failure.  Repair the conditions that is causing the failure.  Success will be verified by the ticket's automatic closing.  If the cause of the ticket is unknown, send the ticket title and message to support@third-wall.com
  • Monitor assignment is handled by standard Automate group-assigned monitors.  All groups reside under the ThirdWallV2 group.  Ensure the target computer is a member of the group.
  • If an exception has been assigned, remove the exception from the target.  Be aware, if this exception was automatically applied by Third Wall for excessive Logon Failures and the condition which caused those failures has not been rectified, it is highly probable the target will be again automatically excepted from the policy.  Determine the source of the failures (https://thirdwallhelp.freshdesk.com/a/solutions/articles/43000541513) and prevent it from causing more.