| Event ID | Description |
|---|---|
| 528 | Successful logon. |
| 529 | Logon failure. Unknown user name or bad password. |
| 530 | Logon failure. Account logon time restriction violation. |
| 531 | Logon failure. The account is currently disabled. |
| 532 | Logon failure. The specified user account has expired. |
| 533 | Logon failure. The user is not allowed to log on at this computer. |
| 534 | Logon failure. The user has not been granted the requested logon type at this computer. |
| 535 | Logon failure. The specified account’s password has expired. |
| 536 | Logon failure. The NetLogon component is not active. |
| 537 | Logon failure. An unexpected error occurred during logon. |
| 538 | User logoff. This event is generated when the logoff process is complete. A logoff is considered complete when the associated logon session object is deleted, which occurs after all tokens associated with the logon session are closed. This can take an arbitrarily long time; this event should not be used to calculate the total logon duration. Instead, use event 551. |
| 539 | Logon failure. Account locked out. |
| 540 | Successful network logon. |
| 541 | IPSec security association established. |
| 542 | IPSec security association ended. Mode: Data Protection (Quick mode). |
| 543 | IPSec security association ended. Mode: Key Exchange (Main mode). |
| 544 | IPSec security association establishment failed because peer could not authenticate. The certificate trust could not be established. |
| 545 | IPSec peer authentication failed. |
| 546 | IPSec security association establishment failed because peer sent invalid proposal. |
| 547 | IPSec security association negotiation failed. |
| 548 | Logon failure. Domain security identifier (SID) is inconsistent. This event is generated when a user account from a trusted domain attempts to authenticate, but the domain SID does not match the SID stored in the Trusted Domain Object (TDO). |
| 549 | Logon failure. All SIDs were filtered out. During cross-forest authentication, SIDs corresponding to untrusted namespaces are filtered out. This event is generated when all SIDs are filtered. This event is generated on the Kerberos Key Distribution Center (KDC).
This event is not generated on Windows Server 2003. |
| 550 | Notification message that can indicate a possible denial-of-service attack. |
| 551 | User-initiated logoff. This event is generated when the user initiates the logoff process. When the logoff process is complete, event 538 is logged. |
| 552 | Successful logon. This event is generated when a user logs on with explicit credentials while already logged on as another user. This event is logged when using the RunAs tool. |
| 553 | Logon failure. This event is generated when an authentication package detects a replay attack. |
