Windows XP Professional and Windows 2000 Server generate logon-related events when a user logs on interactively or remotely. These events are generated on the computer to which the logon attempt was made. For more information about the different types of logons and the logon process, see Logon and Authentication in this book.
Parameters: User name, domain, or workstation involved in the logon attempt, logon ID, logon type, source of the logon attempt, authentication package (NTLM, Kerberos V5, or negotiate) involved in the logon attempt, workstation name.
Configurable Information: Success
Formal names: SE_AUDITID_SUCCESSFUL_LOGON SE_AUDITID_ NETWORK_LOGON
This event is identical to event 528.
Parameters: User name, domain, or workstation that controls the user account, logon type, source of the logon attempt, authentication package used for the logon attempt, name of the workstation at which the logon attempt was made.
Configurable Information: Failure
Formal name: SE_AUDITID_UNKNOWN_USER_OR_PWD
Parameters: User name, domain, or workstation that controls the user account, logon type, source of the logon attempt, authentication package used for the logon attempt, name of the workstation at which the logon attempt was made.
Configurable Information: Failure
Formal name: SE_AUDITID_ACCOUNT_TIME_RESTR
Logon time restrictions can only be configured for domain accounts. However, for non-domain accounts, it is still possible to configure logon time restrictions programmatically.
Parameters: User name, domain, or workstation that controls the user account, logon type, source of the logon attempt, authentication package used for the logon attempt, name of the workstation at which the logon attempt was made.
Configurable Information: Failure
Formal name: SE_AUDITID_ACCOUNT_DISABLED
Parameters: User name, domain, or workstation that controls the user account, logon type, source of the logon attempt, authentication package used for the logon attempt, name of the workstation at which the logon attempt was made.
Configurable Information: Failure
Formal name: SE_AUDITID_ACCOUNT_EXPIRED
Parameters: User name, domain, or workstation that controls the user account, logon type, source of the logon attempt, authentication package used for the logon attempt, name of the workstation at which the logon attempt was made.
Configurable Information: Failure
Formal name: SE_AUDITID_WORKSTATION_RESTR
Parameters: User name, domain, or workstation that controls the user account, logon type, source of the logon attempt, authentication package used for the logon attempt, name of the workstation at which the logon attempt was made.
Configurable Information: Failure
Formal name: SE_AUDITID_LOGON_TYPE_RESTR
Parameters: User name, domain, or workstation that controls the user account, logon type, source of the logon attempt, authentication package used for the logon attempt, name of the workstation at which the logon attempt was made.
Configurable Information: Failure
Formal name: SE_AUDITID_PASSWORD_EXPIRED
Parameters: User name, domain, or workstation that controls the user account, logon type, source of the logon attempt, authentication package used for the logon attempt, name of the workstation at which the logon attempt was made.
Configurable Information: Failure
Formal name: SE_AUDITID_NETLOGON_NOT_STARTED
The Net Logon service is needed for domain-style logon attempts or logon attempts to an account that does not exist on the workstation at which the logon attempt is occurring.
Parameters: User name, domain, or workstation that controls the user account, logon type, source of the logon attempt, authentication package used for the logon attempt, name of the workstation from which the logon attempt was made, one or two status codes indicating why the logon failed.
Configurable Information: Failure
Formal name: SE_AUDITID_UNSUCCESSFUL_LOGON
In some cases, the reason for the logon failure might not be known. To find the individual status codes, search for the files Ntstatus.h or Winerror.h, and then open them by using a text editor such as Notepad.
Parameters: User name, domain, or workstation that controls the user account, logon type, source of the logon attempt, authentication package used for the logon attempt, name of the workstation at which the logon attempt was made.
Configurable Information: Success
Formal name: SE_AUDITID_LOGOFF
The logoff message can be caused by any type of logoff attempt.
Parameters: User name, domain, or workstation that controls the user account, logon type, source of the logon attempt, authentication package used for the logon attempt, name of the workstation from which the logon attempt was made.
Configurable Information: Failure
Formal name: SE_AUDITID_ACCOUNT_LOCKED
Parameters: User name, domain, or workstation involved in the logon attempt, logon ID, logon type, source of the logon attempt, authentication package (NTLM, Kerberos V5, or negotiate) involved in the logon attempt, workstation name.
Configurable Information: Success
Formal names: SE_AUDITID_SUCCESSFUL_LOGON SE_AUDITID_ NETWORK_LOGON
This event is identical to event 528.
Parameters: Mode (main or quick), the IP address and name of the other host involved in the authentication, a filter specifying source and destination addresses (address can be either specific IP, IP subnet, or all computers), an encryption algorithm, hashing algorithm, and timeout for the security association.
Configurable Information: Success
Formal name: SE_AUDITID_IPSEC_LOGON_SUCCESS
Parameters: Mode (main or quick), a filter indicating a subnet, a particular host, or all computers, the inbound Service Parameters Index (SPI) or local host, the outbound SPI (the other peer in the connection).
Note | Data transfer mode is the same as quick mode (QM). |
Configurable Information: Success
Formal name: SE_AUDITID_IPSEC_LOGOFF_QM
Parameters: A filter indicating a subnet, a particular host, or all computers.
Configurable Information: Success
Formal name: SE_AUDITID_IPSEC_LOGOFF_MM
This might occur as a result of the time limit on the security association expiring (the default is eight hours), policy changes, peer termination, and so on.
Parameters: Peer identity (the other host involved in the authentication), a filter indicating a subnet, a particular host, or all computers.
Configurable Information: Failure
Formal name: SE_AUDITID_IPSEC_AUTH_FAIL_CERT_TRUST
Parameters: Peer identity (the other host involved in the authentication), filter indicating a subnet, a particular host, or all computers.
Configurable Information: Failure
Formal name: SE_AUDITID_IPSEC_AUTH_FAIL
Parameters: Mode (main or quick, depending when the error occurred), a filter indicating a subnet, a particular host, or all computers), incorrect attribute, expected value, received value.
Configurable Information: Failure
Formal name: SE_AUDITID_IPSEC_ATTRIB_FAIL
Parameters: Mode (indicates when the failure occurred), a filter indicating a subnet, particular host, or all computers, the point of failure, and the reason for the failure.
Configurable Information: Failure
Formal name: SE_AUDITID_IPSEC_NEGOTIATION_FAIL
Parameters: User name, domain name, logon type, logon process, authentication package, workstation name, impersonated domain.
Configurable Information: Failure
Formal name: SE_AUDITID_DOMAIN_TRUST_INCONSISTENT
Parameters: User name, domain name, logon type, logon process, authentication package, workstation name.
Configurable Information: Failure
Formal name: SE_AUDITID_ALL_SIDS_FILTERED
During cross-forest authentication, all SIDs corresponding to untrusted namespaces are filtered out. This event is triggered when this filtering action removes all SIDs.
Parameters: No parameters, other than the above text describing the beginning or ending of a denial-of-service attack.
Configurable Information: Success or Failure
Formal name: SE_AUDITID_IPSEC_IKE_NOTIFICATION
This event message is generated when IKE has a large number of pending requests to establish security associations and is beginning denial-of-service prevention mode. This might be normal if caused by high computer loads or a large number of client connection attempts. It also might be the result of a denial-of-service attack against IKE. If this is a denial-of-service attack, there is usually many audits for failed IKE negotiations to spoofed IP addresses. Otherwise, the computer is only extremely heavily loaded.
Parameters: User name, domain name, logon ID, session name, client name, client address.
Configurable Information: Success
Formal name: SE_AUDITID_SESSION_RECONNECTED
This event message is generated on a terminal server.
Parameters: User name, domain, logon ID, session name, client name, client address.
Configurable Information: Success or Failure.
Formal name: SE_AUDITID_SESSION_DISCONNECTED
This event message is generated when a user is connected to a terminal server session over the network. It appears on the terminal server.