We've been going over the logs for a client that may have a compromised account. What's causing some confusion is the Last Login column shows (Webmail) but the Administrative logs do not match the same data.

For instance, the user jkelly shows that on 2/1 they used Webmail. Also account sales had used webmail on 1/31. BUT, the Admin logs only show a webmail login for jkelly on 1/31 and no webmail reference for the sales account.

We've also seen cross-pollenation of records from other accounts find their way into log search results. For instance we search with a parameter that matches a domain.com but some records from someotherdomain.com find their way into the results. 

Our goal is to accurately search for users in a particular domain that are using Webmail and be able to see their IP addresses. The logs not being accurate are causing some confusion.
Should I look for some actual log files on the server and perform a text search to get more accurate results?