Event Details
Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Logon/Logoff->EventID 540 - Successful Network Logon [Win XP]
EventID 540 - Successful Network Logon [Win XP]
Indicates that a logon session was successfully created for the user logging in remotely to access a network resource (e.g. a file share).

Note:
The message contains the Logon ID, a number that is generated when a user logs on to a computer. The Logon ID is unique to that logon session until the computer is restarted, at which point the Logon ID may be reused. The Logon ID can be used to correlate a logon message with other messages, such as object access messages.
For logons that use Kerberos, the logon GUID can be used to associate a logon event on this computer with an account logon event on an authenticating computer, such as a domain controller.
This event is logged whenever a user logs on either with its local SAM account or a domain account.
This message also includes a logon type code. The logon type code indicates the manner in which the user logged on. 

For explanation of the values of some fields please refer to the corresponding links below:

Find more information about this event on ultimatewindowssecurity.com.

Corresponding events on other OS versions:


Windows 2000

Windows 2003

Windows 2008

     Sample:
            Event Type:     Success Audit
            Event Source:   Security
            Event Category: Logon/Logoff
            Event ID:       540
            Date:           10/26/2009
            Time:           07:31:44
            User:           NT AUTHORITY\SYSTEM
            Computer:       DC1
            Description:
            Successful Network Logon:
            User Name:	DC1$
            Domain:		RESEARCH
            Logon ID:		(0x0,0x60F7C2)
            Logon Type:	3
            Logon Process:	Kerberos
            Authentication Package:	Kerberos
            Workstation Name:
            Logon GUID:	{1be8f5d6-8f8a-62c1-d74c-5d4a7950138a}
    Log Type: Windows Event Log
     Uniquely Identified By:
    Log Name: Security
    Filtering Field Equals to Value
    OSVersion Windows XP
    Source Security
    Category Logon/Logoff
    EventId 540
    Field Matching
    FieldDescriptionStored inSample Value
    DateTime Date/Time of event origination in GMT format. DateTime 10.10.2000 19:00:00
    Source Name of an Application or System Service originating the event. Source Security
    Type Warning, Information, Error, Success, Failure, etc. Type Success
    User Domain\Account name of user/service/computer initiating event. User RESEARCH\Alebovsky
    Computer Name of server workstation where event was logged. Computer DC1
    EventID Numerical ID of event. Unique within one Event Source. EventId 576
    Description The entire unparsed event message. Description Special privileges assigned to new logon.
    Log Name The name of the event log (e.g. Application, Security, System, etc.) LogName Security
    Category A name for a subclass of events within the same Event Source. Category Logon/Logoff
    Domain Domain of the account for which logon is requested. InsertionString2 RESEARCH
    User Name Account name of the user logging in InsertionString1 DC1$
    Logon ID InsertionString3 (0x0,0x60F7C2)
    Logon Type Interactive, Network, Batch, etc. Please find the code descriptions here. InsertionString4 3
    Logon Process The program executable that processed the logon. Please find full logon processes list here. InsertionString5 Kerberos
    Authentication Package The name of the authentication package (method) used to check user credentials (e.g. NTLM or Kerberos). Please find full authentication packages list here. InsertionString6 Kerberos
    Workstation Name The NetBIOS name of the remote computer that originated the logon request InsertionString7
    Logon GUID A globally unique identifier of the logon. For logons that use Kerberos, the logon GUID can be used to associate a logon event on the computer where the logon was initiated with an account logon message on an authenticating computer, such as a domain controller. InsertionString8 {1be8f5d6-8f8a-62c1-d74c-5d4a7950138a}
    Comments
    You must be logged in to comment