magnify
Home Active Directory Logon Event ID ler – Interactive Logon Events
formats

Logon Event ID ler – Interactive Logon Events

Event ID Description
528 Successful logon.
529 Logon failure. Unknown user name or bad password.
530 Logon failure. Account logon time restriction violation.
531 Logon failure. The account is currently disabled.
532 Logon failure. The specified user account has expired.
533 Logon failure. The user is not allowed to log on at this computer.
534 Logon failure. The user has not been granted the requested logon type at this computer.
535 Logon failure. The specified account’s password has expired.
536 Logon failure. The NetLogon component is not active.
537 Logon failure. An unexpected error occurred during logon.
538 User logoff. This event is generated when the logoff process is complete. A logoff is considered complete when the associated logon session object is deleted, which occurs after all tokens associated with the logon session are closed. This can take an arbitrarily long time; this event should not be used to calculate the total logon duration. Instead, use event 551.
539 Logon failure. Account locked out.
540 Successful network logon.
541 IPSec security association established.
542 IPSec security association ended. Mode: Data Protection (Quick mode).
543 IPSec security association ended. Mode: Key Exchange (Main mode).
544 IPSec security association establishment failed because peer could not authenticate. The certificate trust could not be established.
545 IPSec peer authentication failed.
546 IPSec security association establishment failed because peer sent invalid proposal.
547 IPSec security association negotiation failed.
548 Logon failure. Domain security identifier (SID) is inconsistent. This event is generated when a user account from a trusted domain attempts to authenticate, but the domain SID does not match the SID stored in the Trusted Domain Object (TDO).
549 Logon failure. All SIDs were filtered out. During cross-forest authentication, SIDs corresponding to untrusted namespaces are filtered out. This event is generated when all SIDs are filtered. This event is generated on the Kerberos Key Distribution Center (KDC).

This event is not generated on Windows Server 2003.

550 Notification message that can indicate a possible denial-of-service attack.
551 User-initiated logoff. This event is generated when the user initiates the logoff process. When the logoff process is complete, event 538 is logged.
552 Successful logon. This event is generated when a user logs on with explicit credentials while already logged on as another user. This event is logged when using the RunAs tool.
553 Logon failure. This event is generated when an authentication package detects a replay attack.
 
 Share on Facebook Share on Twitter Share on Reddit Share on LinkedIn
Logon Event ID ler – Interactive Logon Events için yorumlar kapalı  comments 
© Hakan Uzuner
credit