Hi Doug, I did this a few years ago for a cutomer having severe disconnection problems which ended up being due to a slightly bent Cisco router. I used dumpel (Windows resource kit) to seive through the eventlogs to get all the logon disconnection/connection data and dump it as a csv file. Then there was a batch file with a for loop that cleaned things up so it ccould be imported into Excel and graphed. The idea was to combine all the logs, sort on data so you could see the distribution of disconnections, on a server, time and user basis. That should let you narrow down on the cause of the problem. This is the stuff I had in my notes: Events extracted from event logs. Security Security Logon/logoff 682 Session reconnected Security Security Logon/logoff 683 Session disconnected System TermService None 9007 Autoclient reconnect System TermService None 9006 Autoclient failed (cookie) The following 2 command lines were used to extract these events in comma delimited format from the security and system logs on the farm servers. For /f %i in ('qfarm /load ^| find /I "tml"') do dumpel –s *\\%i*<file://%25i/>–l security –m security –e 682 683 –c >> farm_seclog.txt For /f %i in ('qfarm /load ^| find /I "tml"') do dumpel –s *\\%i*<file://%25i/>–l system –m termservice –e 9007 –c >> farm_syslog.txt The stuff we extracted were things like: Top Ten Affected Users User WS Type IP Address ICA client build Disconnects cdraper PC 10.1.2.162 90 charris WT 10.1.4.174 931 100 dmorris * PC 10.1.2.163 21825 250 gbousgas PC 10.1.1.162 1050 137 jelder PC 10.1.1.169 21825 156 kdoyle PC 10.1.2.168 21825 117 mmckavanagh PC 10.1.2.163 115 mparry PC 10.1.1.167 75 scarter PC 10.1.2.170 21825 235 tpratt PC 10.1.2.165 21825 125 We also did a disconnections by site and disconnections by server frequency. As stated earlier, it turned out to be a router at head office. To find that took someone doing network packet capture between a server and one of the most heavily affected users. regards, Rick On 7/18/08, Stratton, Doug ISMC:EX <Doug.M.Stratton@xxxxxxxxx> wrote: > > We are in the process of trying to look thru our W2K3 Security logs to > identify how many times clients are connecting/dropping/reconnecting again. > > It seems like mountains of data and I was just wondering if there is a > simple solution to gathering this data. > > The sort of thing I would like something like: > > UserA > Date - logon > Date - logoff (or other such thing, drop/disconnect…) > > UserB > …. > > We are going thru this exercise because we have clients who are reporting > drops and we want to get a better picture of how bad this is. > > Any scripts out there or tools that can do this would be greatly > appreciated. > > Regards, > *Doug Stratton*, Shared Service BC > Service Desk Email:* 77000@xxxxxxxxx* > Service Desk Tel:* (250)387-7000* > > > -- Ulrich Mack Quest Software Provision Networks Division