Event 528 and Event 540 are the Logon events. Event 528 is for all logons except “network” logons. “Network” logons are SMB/Microsoft-DS logons (i.e. connecting to a share). RDP, IIS, FTP logons, etc., are event 528 even though credentials may have come from over the network. All event 540’s are logon type 3.
For Kerberos logons, the workstation field might not be filled out- the Kerberos ticket request messages don’t have a field where we can carry this information and authentication of the user account is not based on the machine’s TGT, so to the KDC, the workstation just looks like an IP address.
Not every code path in Windows Server 2003 is instrumented for IP address, so it’s not always filled out.
“Transited services” is part of our S4U delegation mechanism.
User Name: %1
Logon ID: %3
Logon Type: %4
Logon Process: %5
Authentication Package: %6
Workstation Name: %7
Logon GUID: %8
Caller User Name: %9
Caller Domain: %10
Caller Logon ID: %11
Caller Process ID: %12
Transited Services: %13
Source Network Address: %14
Source Port: %15
A logon session was successfully created for the user. The message contains the Logon ID, a number that is generated when a user logs on to a computer. The Logon ID is unique to that logon session until the computer is restarted, at which point the Logon ID may be reused. The Logon ID can be used to correlate a logon message with other messages, such as object access messages.
For logons that use Kerberos, the logon GUID can be used to associate a logon event on this computer with an account logon message on an authenticating computer, such as a domain controller.
This message includes the user name and the domain information for the user account that logged on, the name of the logon process that logged the user on, the type of authentication credentials that were presented, and a logon GUID (globally unique identifier).
This message also includes a logon type code. The logon type code indicates the manner in which the user logged on. The following table explains the logon type code:
The Workstation name field specifies the NetBIOS name of the remote computer that originated the logon request. If no information is displayed in this field, either a Kerberos logon attempt failed because the ticket could not be decrypted, or a non-Windows NetBIOS implementation or utility did not supply the remote computer name in the logon request.
No user action is required.