Successful Network Logon: User Name: %1 Domain: %2 Logon ID: %3 Logon Type: %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Logon GUID: %8 Caller User Name: %9 Caller Domain: %10 Caller Logon ID: %11 Caller Process ID: %12 Transited Services: %13 Source Network Address: %14 Source Port: %15

PCIS Support Team Windows Operating System
Details
Product: Windows Operating System
Event ID: 540
Source: Security
Version: 5.0
Symbolic Name: SE_AUDITID_NETWORK_LOGON
Message: Successful Network Logon: User Name: %1 Domain: %2 Logon ID: %3 Logon Type: %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Logon GUID: %8 Caller User Name: %9 Caller Domain: %10 Caller Logon ID: %11 Caller Process ID: %12 Transited Services: %13 Source Network Address: %14 Source Port: %15
   
Explanation

A logon session was created for the user. The message contains the Logon ID, a number that is generated when a user logs on to a computer. The Logon ID that is assigned to a logon session is unique to that logon session until the computer is restarted, at which point the Logon ID may be reused. The Logon ID can be used to correlate a logon message with other messages, such as object access messages.

This message includes the user name and the domain information of the user account that was logged on, the name of the logon process that logged the user on, the type of authentication credentials that were presented, and a logon GUID (globally unique identifier).

For logons that use Kerberos, the logon GUID can be used to associate a logon event on this computer with an account logon event on an authenticating computer, such as a domain controller.

This message also includes a logon type code. The logon type code indicates the manner in which the user logged on. The following table explains the logon type value:

Logon type
Logon title
Description
2 Interactive A user logged on to this computer at the console.
3 Network A user or computer logged on to this computer from the network.
4 Batch Batch logon type is used by batch servers, where processes might run on behalf of a user without the user’s direct intervention.
5 Service A service was started by the Service Control Manager.
7 Unlock This workstation was unlocked.
8 NetworkCleartext A user logged on to a network. The user’s password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext).
9 NewCredentials A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but it uses different credentials for other network connections.
10 RemoteInteractive A user logged on to this computer remotely using Terminal Services or a Remote Desktop connection.
11 CachedInteractive A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.
   
User Action

No user action is required.

Related:

Leave a Reply