Active directory does not log true logoff events at the Domain Controller. The "logoff" events that are recorded at the server have more to do with network sessions and often don't accurately reflect users logging on and off of a desktop. Often these prove to be more noise than useful, actionable information. The only way to accurately to this is to somehow collect event logs from individual workstations.
Option 1 -- Universal Forwarders and Deployment Server
Installing the Universal Forwarder on all workstations is still the ideal in a number of ways, but it's understandable if you don't want to deploy and maintain it to that degree. However, if you are willing to consider that approach, be aware that there are several ways to reduce the level of pain rolling it out, so the "there are a lot of users" may not be as bad an issue as you think. It's very scriptable -- for one example script, look at this blog post. Then, use the Deployment Server to manage configuration.
Option 2 -- Windows Event Forwarding + GPO + Splunk Forwarder
If, however, that's just not doable, you may wish to explore Windows Event Forwarding. You should be able to set up a collector running Win2008 or higher, then create a Group Policy Object to have the machines send their data to the collector. Install a Splunk heavy forwarder on the collector to get the data to Splunk. The second link below has you use a Universal Forwader, but I'd lean toward use of a heavy forwarder for this.
Take a look at these:
- Quick and Dirty Large Scale Eventing for Windows
- Forwarding Windows Event Logs to another host
- Configure Computers to Forward and Collect Events
The big advantages is not having to deploy and maintain the Universal Forwarders, and being able to leverage built-in functionality and GPO configuration. The downsides are having another type of forwarding to maintain, having to maintain the additional server and heavy forwarder configuration, and having to enable the WinRM service.
Other Alternatives
Other options do exist. Adiscon makes a syslog-based forwarding agent, but you're right back to having to deploy and maintain a third party agent. Some of the other Microsoft tools like SCCM might have a way to do it, or you can explore WMI-based polling. But none of these options will be as good as either of the above.
... View more