Monitoring security event logs

[g () 27 eclipse co uk]

Hi all, 

I am monitoring the logoff and logon event logs for some machines in my domain. I notice that for one single logon 
there are multiple successful logons, in the event log. Sometimes the logon process is either or both "advapi" and 
"user32" Does anyone know the difference between these? 

I try to pair the Logon ID's for each sesssion to calculate logon times, and I notice on some occasions that the 
logon/logoff ID is the same, but parts of it, have capitalisation. Does anyone know why? Also some logon ID's seem to 
not a logoff ID pair? (even though the user has logged off) Does anyone know why?

Thanks in advance,