Events 528 and 540

Logon events.

Event 528 and Event 540 are the Logon events. Event 528 is for all logons except "network" logons. "Network" logons are SMB/Microsoft-DS logons (i.e. connecting to a share). RDP, IIS, FTP logons, etc., are event 528 even though credentials may have come from over the network. All event 540's are logon type 3.

For Kerberos logons, the workstation field might not be filled out- the Kerberos ticket request messages don't have a field where we can carry this information and authentication of the user account is not based on the machine's TGT, so to the KDC, the workstation just looks like an IP address.

Not every code path in Windows Server 2003 is instrumented for IP address, so it's not always filled out.

"Transited services" is part of our S4U delegation mechanism.

Here's the description from https://www.microsoft.com/technet/support/ee/result.aspx?EvtSrc=Security&EvtID=528&ProdName=Windows+Operating+System&LCID=1033&ProdVer=5.2