Windows Logon Event ID Log Type

有助於伺服器維護時的系統查核保養

資料來源：http://technet.microsoft.com/en-us/library/cc787053(WS.10).aspx

Event ID	Description
528	Successful logon.
529	Logon failure. Unknown user name or bad password.
530	Logon failure. Account logon time restriction violation.
531	Logon failure. The account is currently disabled.
532	Logon failure. The specified user account has expired.
533	Logon failure. The user is not allowed to log on at this computer.
534	Logon failure. The user has not been granted the requested logon type at this computer.
535	Logon failure. The specified account’s password has expired.
536	Logon failure. The NetLogon component is not active.
537	Logon failure. An unexpected error occurred during logon.
538	User logoff. This event is generated when the logoff process is complete. A logoff is considered complete when the associated logon session object is deleted, which occurs after all tokens associated with the logon session are closed. This can take an arbitrarily long time; this event should not be used to calculate the total logon duration. Instead, use event 551.
539	Logon failure. Account locked out.
540	Successful network logon.
541	IPSec security association established.
542	IPSec security association ended. Mode: Data Protection (Quick mode).
543	IPSec security association ended. Mode: Key Exchange (Main mode).
544	IPSec security association establishment failed because peer could not authenticate. The certificate trust could not be established.
545	IPSec peer authentication failed.
546	IPSec security association establishment failed because peer sent invalid proposal.
547	IPSec security association negotiation failed.
548	Logon failure. Domain security identifier (SID) is inconsistent. This event is generated when a user account from a trusted domain attempts to authenticate, but the domain SID does not match the SID stored in the Trusted Domain Object (TDO).
549	Logon failure. All SIDs were filtered out. During authentication across forests, SIDs corresponding to untrusted namespaces are filtered out. This event is generated when all SIDs are filtered. This event is generated on the Kerberos Key Distribution Center (KDC). This event is not generated on Windows Server 2003.
550	Notification message that can indicate a possible denial-of-service attack.
551	User-initiated logoff. This event is generated when the user initiates the logoff process. When the logoff process is complete, event 538 is logged.
552	Successful logon. This event is generated when a user logs on with explicit credentials while already logged on as another user. This event is logged when using the RunAs tool.
553	Logon failure. This event is generated when an authentication package detects a replay attack.