DateTime
|
Date/Time of event origination in GMT format.
|
DateTime
|
10.10.2000 19:00:00
|
Source
|
Name of an Application or System Service originating the event.
|
Source
|
Security
|
Type
|
Warning, Information, Error, Success, Failure, etc.
|
Type
|
Success
|
User
|
Domain\Account name of user/service/computer initiating event.
|
User
|
RESEARCH\Alebovsky
|
Computer
|
Name of server workstation where event was logged.
|
Computer
|
DC1
|
EventID
|
Numerical ID of event. Unique within one Event Source.
|
EventId
|
576
|
Description
|
The entire unparsed event message.
|
Description
|
Special privileges assigned to new logon.
|
Log Name
|
The name of the event log (e.g. Application, Security, System, etc.)
|
LogName
|
Security
|
Category
|
A name for a subclass of events within the same Event Source.
|
Category
|
Logon/Logoff
|
Domain
|
Domain of the account for which logon is requested.
|
InsertionString2
|
RESEARCH
|
User Name
|
Account name of the user logging in
|
InsertionString1
|
Paul
|
Logon ID
|
ID of the logon session of the successfully logged in user. Useful for tracking other user activity within the same logon session.
|
InsertionString3
|
(0x0,0x3A7A6E0)
|
Logon Type
|
Interactive, Network, Batch, etc. Please find the code descriptions here.
|
InsertionString4
|
2
|
Logon Process
|
The program executable that processed the logon. Please find full logon processes list here.
|
InsertionString5
|
seclogon
|
Authentication Package
|
The name of the authentication package (method) used to check user credentials (e.g. NTLM or Kerberos). Please find full authentication packages list here.
|
InsertionString6
|
Negotiate
|
Workstation Name
|
The NetBIOS name of the remote computer that originated the logon request
|
InsertionString7
|
DC1
|
Logon GUID
|
A globally unique identifier of the logon. For logons that use Kerberos, the logon GUID can be used to associate a logon event on the computer where the logon was initiated with an account logon message on an authenticating computer, such as a domain controller.
|
InsertionString8
|
{f6956476-dd7a-df4a-1006-c2026f6e3cc3}
|
Caller User Name
|
Account name of the user requesting the logon (not the user that attempted logon). Normally it is empty or displays the service principal name.
|
InsertionString9
|
CBrown
|
Caller Domain
|
Domain name of the account mentioned in the "Caller User Name" field
|
InsertionString10
|
RESEARCH
|
Caller Logon ID
|
ID of the logon session of the account mentioned in the "Caller User Name" field. Useful for tracking other activity of this account within the same logon session.
|
InsertionString11
|
(0x0,0x697DC)
|
Caller Process ID
|
ID of the process initiating the logon request
|
InsertionString12
|
884
|
Transited Services
|
Indicates which intermediate services have participated in this logon request
|
InsertionString13
|
-
|
Source Network Address
|
The IP address of the remote computer that originated the logon request
|
InsertionString14
|
-
|
Source Port
|
The source TCP port of the remote computer that originated the logon request
|
InsertionString15
|
-
|