System32
Events
Compliance
Validator
TLS/SSL
PingSentry
GeoIP
Tools
Audit Category
Logon/Logoff
(17)
System
(11)
Object Access
(10)
Detailed Tracking
(6)
Privilege Use
(3)
Audit Subcategory
Operating Systems
Windows 2003
(51)
Windows Server 2000
(51)
Windows XP
(51)
Tags
Auditing
Volume
EventSentry
All events
ID
Event Description
512
Windows NT is starting up
513
Windows is shutting down
514
An authentication package has been loaded by the Local Security Authority
515
A trusted logon process has registered with the Local Security Authority
516
Queuing of audit messages have been exhausted, leading to the loss of some audits
517
The audit log was cleared
518
A notification package has been loaded by the Security Account Manager
519
A process is using an invalid local procedure call (LPC) port
520
The system time was changed
521
Unable to log events to security log
523
The security log is full
528
Successful Logon
529
Logon Failure : Unknown username or bad password
530
Logon Failure : Account logon time restriction violation
531
Logon Failure : Account currently disabled
532
Logon Failure : The specified user account has expired
533
Logon Failure : User not allowed to logon at this computer
534
Logon Failure : The user has note been granted the requested logon type at this machine
535
Logon Failure : The specified account's password has expired
536
Logon Failure : The NetLogon component is not active
537
The logon attempt failed for other reasons
538
The user has logged off
539
Logon Failure : Account locked out
540
Successful Network Logon
548
Logon Failure : Domain SID inconsistent
549
Logon Failure : All SIDs were filtered out
551
User initiated logoff
552
Logon attempt using explicit credentials
560
Object Open
561
Handle Allocated
562
Handle Closed
563
Object Open for Delete
564
Object Deleted
565
Object Open
566
Object Operation
567
Object Access Attempt
568
Hard link creation attempt
569
Application client context creation attempt
570
Application operation attempt
571
Application client context deletion
572
Application Initialized
574
Security on object changed
576
Special privileges assigned to new logon
577
Privileged Service Called
578
Privileged object operation
592
A new process has been created
593
A process has exited
594
A handle to an object has been duplicated
595
Indirect access to an object has been obtained
596
Backup of data protection master key
600
A process was assigned a primary token