Monday, July 24

Security Event Logs - Logon Event IDs

Lots of people asking us, after setting security events, how to monitor it? Most of them only showing event IDs. Believe that Microsoft has the lists on it showing in Technet website, however, for most of our customers/readers convenient, let us share some important events:

  • 528- This is the successful logon
  • 529-537 - Failed logon. Where (529 - Bad username and password, 530 - time restrictions, 531 - account disabled, 532 - Expired accounts, 533 - cannot logon to specific computer account, 534 - Disallowed logon type, 535 - Expired password, 536 - Server is not available, 537 - Other reasons)
  • 548 - Might be your your trust broken (SID does not match)
  • 550 - Your network might be under DOS attack
  • 551 - Logoff events
  • 552 - UserB force logon to another computer while UserA is logged on
  • 682 - User has reconnect to a disconnected terminal session
  • 683 - User disconnect from terminal session without logoff

With this small piece of information, hope this will help most of the people managing/maintaining your AD!