Event-o-Pedia EventID 528 - Successful Logon [Win 2003]

	Event Details
	Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Logon/Logoff->EventID 528 - Successful Logon [Win 2003]

EventID 528 - Successful Logon [Win 2003]

Indicates that a logon session was successfully created for the user logging in locally.

Note:
The message contains the Logon ID, a number that is generated when a user logs on to a computer. The Logon ID is unique to that logon session until the computer is restarted, at which point the Logon ID may be reused. The Logon ID can be used to correlate a logon message with other messages, such as object access messages.
For logons that use Kerberos, the logon GUID can be used to associate a logon event on this computer with an account logon message on an authenticating computer, such as a domain controller.
For explanation of the values of some fields please refer to the corresponding links below:

Find more information about this event on ultimatewindowssecurity.com.

Corresponding events on other OS versions:

Windows XP

EventID 528 - Successful Logon [Win XP]

Windows 2000

EventID 528 - Successful Logon [2000]

Windows 2008

EventID 4624 - An account was successfully logged on

Sample:

        Event Type:     Success Audit
        Event Source:   Security
        Event Category: Logon/Logoff
        Event ID:       528
        Date:           11/2/2009
        Time:           05:47:29
        User:           RESEARCH\Ann_Benning
        Computer:       DC1
        Description:
        Successful Logon:
        User Name:	Paul
        Domain:		RESEARCH
        Logon ID:		(0x0,0x3A7A6E0)
        Logon Type:	2
        Logon Process:	seclogon
        Authentication Package:	Negotiate
        Workstation Name:	DC1
        Logon GUID:	{f6956476-dd7a-df4a-1006-c2026f6e3cc3}
        Caller User Name:	CBrown
        Caller Domain:	RESEARCH
        Caller Logon ID:	(0x0,0x697DC)
        Caller Process ID: 884
        Transited Services: -
        Source Network Address:	-
        Source Port:	-

Log Type:

Windows Event Log

Uniquely Identified By:

Log Name:

Security

Filtering Field	Equals to Value
OSVersion	Windows 2003
Source	Security
Category	Logon/Logoff
EventId	528

Field Matching

Field	Description	Stored in	Sample Value
DateTime	Date/Time of event origination in GMT format.	DateTime	10.10.2000 19:00:00
Source	Name of an Application or System Service originating the event.	Source	Security
Type	Warning, Information, Error, Success, Failure, etc.	Type	Success
User	Domain\Account name of user/service/computer initiating event.	User	RESEARCH\Alebovsky
Computer	Name of server workstation where event was logged.	Computer	DC1
EventID	Numerical ID of event. Unique within one Event Source.	EventId	576
Description	The entire unparsed event message.	Description	Special privileges assigned to new logon.
Log Name	The name of the event log (e.g. Application, Security, System, etc.)	LogName	Security
Category	A name for a subclass of events within the same Event Source.	Category	Logon/Logoff
Domain	Domain of the account for which logon is requested.	InsertionString2	RESEARCH
User Name	Account name of the user logging in	InsertionString1	Paul
Logon ID	ID of the logon session of the successfully logged in user. Useful for tracking other user activity within the same logon session.	InsertionString3	(0x0,0x3A7A6E0)
Logon Type	Interactive, Network, Batch, etc. Please find the code descriptions here.	InsertionString4	2
Logon Process	The program executable that processed the logon. Please find full logon processes list here.	InsertionString5	seclogon
Authentication Package	The name of the authentication package (method) used to check user credentials (e.g. NTLM or Kerberos). Please find full authentication packages list here.	InsertionString6	Negotiate
Workstation Name	The NetBIOS name of the remote computer that originated the logon request	InsertionString7	DC1
Logon GUID	A globally unique identifier of the logon. For logons that use Kerberos, the logon GUID can be used to associate a logon event on the computer where the logon was initiated with an account logon message on an authenticating computer, such as a domain controller.	InsertionString8	{f6956476-dd7a-df4a-1006-c2026f6e3cc3}
Caller User Name	Account name of the user requesting the logon (not the user that attempted logon). Normally it is empty or displays the service principal name.	InsertionString9	CBrown
Caller Domain	Domain name of the account mentioned in the "Caller User Name" field	InsertionString10	RESEARCH
Caller Logon ID	ID of the logon session of the account mentioned in the "Caller User Name" field. Useful for tracking other activity of this account within the same logon session.	InsertionString11	(0x0,0x697DC)
Caller Process ID	ID of the process initiating the logon request	InsertionString12	884
Transited Services	Indicates which intermediate services have participated in this logon request	InsertionString13	-
Source Network Address	The IP address of the remote computer that originated the logon request	InsertionString14	-
Source Port	The source TCP port of the remote computer that originated the logon request	InsertionString15	-