Windows Event Collector generates multiple logon/logoff events in Windows Security Logs.

 

The Windows Event Collector sensor performs a logon operation for each individual log type. So if Application, Security and System logs are monitored then three logons will be performed.

Additionally, a logon operation error may occur if a session to the remote computer is already opened, which causes additional logon/logoff events because the active session must be closed, then the sensor attempts to logon again.

As a result in some circumstances 3 logon and 3 logoff events will be generated for 3 standard log types.

Also there may be extra events related to privileges being granted, etc.