Logon Event IDs

Table of Logon Event IDs
from Microsoft

528 A user successfully logged on to a computer. For information about the type of logon, see the Logon Types table below.
529 Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password.
530 Logon failure. A logon attempt was made, but the user account tried to log on outside of the allowed time.
531 Logon failure. A logon attempt was made using a disabled account.
532 Logon failure. A logon attempt was made using an expired account.
533 Logon failure. A logon attempt was made by a user who is not allowed to log on at this computer.
534 Logon failure. The user attempted to log on with a type that is not allowed.
535 Logon failure. The password for the specified account has expired.
536 Logon failure. The Netlogon service is not active.
537 Logon failure. The logon attempt failed for other reasons.
Note:
In some cases, the reason for the logon failure may not be known.

538 The logoff process was completed for a user.
539 Logon failure. The account was locked out at the time the logon attempt was made.
540 A user successfully logged on to a network.
541 Main mode Internet Key Exchange (IKE) authentication was completed between the local computer and the listed peer identity (establishing a security association), or quick mode has established a data channel.
542 A data channel was terminated.
543 Main mode was terminated.
Note:
This might occur as a result of the time limit on the security association expiring, policy changes, or peer termination. (The default expiration time for security associations is eight hours.)
544 Main mode authentication failed because the peer did not provide a valid certificate or the signature was not validated.
545 Main mode authentication failed because of a Kerberos failure or a password that is not valid.
546 IKE security association establishment failed because the peer sent a proposal that is not valid. A packet was received that contained data that is not valid.
547 A failure occurred during an IKE handshake.
548 Logon failure. The security identifier (SID) from a trusted domain does not match the account domain SID of the client.
549 Logon failure. All SIDs that correspond to untrusted namespaces were filtered out during an authentication across forests.
550 A denial-of-service attack may have taken place.
551 A user initiated the logoff process.
552 A user successfully logged on to a computer using explicit credentials while already logged on as a different user.
672 An authentication service (AS) ticket was successfully issued and validated.
673 A ticket-granting service (TGS) ticket was granted.
674 A security principal renewed an AS ticket or TGS ticket.
675 Preauthentication failed. This event is generated on a Key Distribution Center (KDC) when a user types in an incorrect password.
676 Authentication ticket request failed. This event is not generated in Windows XP or in the Windows Server 2003 family.
677 A TGS ticket was not granted. This event is not generated in Windows XP or in the Windows Server 2003 family.
678 An account was successfully mapped to a domain account.
681 Logon failure. A domain account logon was attempted. This event is not generated in Windows XP or in the Windows Server 2003 family.
682 A user has reconnected to a disconnected terminal server session.
683 A user disconnected a terminal server session without logging off.
Note:
This event is generated when a user is connected to a terminal server session over the network. It appears on the terminal server.

No comments:

Recent Posts