Logon Event ID ler - Interactive Logon Events

528

Successful logon.

529

Logon failure. Unknown user name or bad password.

530

Logon failure. Account logon time restriction violation.

531

Logon failure. The account is currently disabled.

532

Logon failure. The specified user account has expired.

533

Logon failure. The user is not allowed to log on at this computer.

534

Logon failure. The user has not been granted the requested logon type at this computer.

535

Logon failure. The specified account’s password has expired.

536

Logon failure. The NetLogon component is not active.

537

Logon failure. An unexpected error occurred during logon.

538

User
logoff. This event is generated when the logoff process is complete. A
logoff is considered complete when the associated logon session object
is deleted, which occurs after all tokens associated with the logon
session are closed. This can take an arbitrarily long time; this event
should not be used to calculate the total logon duration. Instead, use
event 551.

539

Logon failure. Account locked out.

540

Successful network logon.

541

IPSec security association established.

542

IPSec security association ended. Mode: Data Protection (Quick mode).

543

IPSec security association ended. Mode: Key Exchange (Main mode).

544

IPSec
security association establishment failed because peer could not
authenticate. The certificate trust could not be established.

545

IPSec peer authentication failed.

546

IPSec security association establishment failed because peer sent invalid proposal.

547

IPSec security association negotiation failed.

548

Logon
failure. Domain security identifier (SID) is inconsistent. This event
is generated when a user account from a trusted domain attempts to
authenticate, but the domain SID does not match the SID stored in the
Trusted Domain Object (TDO).

549

Logon
failure. All SIDs were filtered out. During cross-forest
authentication, SIDs corresponding to untrusted namespaces are filtered
out. This event is generated when all SIDs are filtered. This event is
generated on the Kerberos Key Distribution Center (KDC).

This event is not generated on Windows Server 2003.

550

Notification message that can indicate a possible denial-of-service attack.

551

User-initiated
logoff. This event is generated when the user initiates the logoff
process. When the logoff process is complete, event 538 is logged.

552

Successful
logon. This event is generated when a user logs on with explicit
credentials while already logged on as another user. This event is
logged when using the RunAs tool.

553

Logon failure. This event is generated when an authentication package detects a replay attack.