You could use the Logon_Type field:
- 2,Interactive Access 3,Network Access
- 4,Script Access 5,Servirce Access
- 7,Interactive Accessfrom Blocked Console
- 10,Terminal Services Access
- 11,Interactive Access with cached credentials
Beware to duplicated Login Events: each access generates many login events, so you have to filter them using dedup or transaction commands.