I am attempting to create a script that will read our syslog files from the Domain Controllers that have a record of all Logon and Logoff transactions.. This includes every single time any network resource is accessed.

I am having a problem identifying what is the "Network Logon / Logoff" events (event ID's are not supplied.)

I have the raw log files at my disposal if needed but they are quite large, and I would have to "scrub" them first.

As an example piece from the log though.... (This is just one line that I broke up for readibility)

 Code:
2007-10-24 08:04:06	Daemon.Notice	DC-SERVER	Security: DOMAIN\username: Object Open: Object Server: 
Security Account Manager Object Type: SAM_SERVER Object Name: CN=Server,CN=System,DC=DOMAIN,DC=STATE,DC=AZ,DC=US 
Handle ID: 226087280 Operation ID: {0,639024591} Process ID: 380 Process Name: C:\WINDOWS\system32\lsass.exe 
Primary User Name: DC-SERVER$ Primary Domain: DOMAIN Primary Logon ID: (0x0,0x3E7) Client User Name: username 
Client Domain: DOMAIN Client Logon ID: (0x0,0x2616A3CA) Accesses: (Error 1537) (Error 1538) (Error 1539) (Error 1540) 
(Error 5376) (Error 5377) (Error 5378) (Error 5379) A network adapter malfunction has occurred.<013><010>
The network control block (NCB) request was refused.  The NCB is the data.<013><010> 
The network control block (NCB) command is still pending.<013><010>The NCB is the data.<013><010> (Error 5382) 
(Error 5383) (Error 5384) Privileges: - Properties: --- %{bf967aad-0de6-11d0-a285-00aa003049e2} Access Mask: 0
_________________________
Today is the tomorrow you worried about yesterday.