Event Details
Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->IPsec Extended Mode->EventID 4981 - IPsec Main Mode and Extended Mode security associations were established.
EventID 4981 - IPsec Main Mode and Extended Mode security associations were established.
Find more information about this event on ultimatewindowssecurity.com.
        IPsec Main Mode and Extended Mode security associations were established.

        Local Endpoint:
        Principal Name:		%1
        Network Address:	%9
        Keying Module Port:	%10

        Local Certificate:
        SHA Thumbprint:	%2
        Issuing CA:		%3
        Root CA:		%4

        Remote Endpoint:
        Principal Name:		%5
        Network Address:	%11
        Keying Module Port:	%12

        Remote Certificate:
        SHA Thumbprint:	%6
        Issuing CA:		%7
        Root CA:		%8

        Cryptographic Information:
        Cipher Algorithm:	%13
        Integrity Algorithm:	%14
        Diffie-Hellman Group:	%15

        Security Association Information:
        Lifetime (minutes):	%16
        Quick Mode Limit:	%17
        Main Mode SA ID:	%21

        Additional Information:
        Keying Module Name:	AuthIP
        Authentication Method:	SSL
        Role:			%18
        Impersonation State:	%19
        Main Mode Filter ID:	%20

        Extended Mode Information:
        Local Principal Name:	%22
        Remote Principal Name:	%23
        Authentication Method:	%24
        Impersonation State:	%25
        Quick Mode Filter ID:	%26
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows Vista (2008)
Windows 7 (2008 R2)
Windows 8 (2012)
Windows 8.1 (2012 R2)
Windows 10 (2016)
Category Logon/Logoff
Source Microsoft-Windows-Security-Auditing
TaskCategory IPsec Extended Mode
EventId 4981
Field Matching
FieldDescriptionStored inSample Value
DateTime Date/Time of event origination in GMT format. DateTime 10.10.2000 19:00:00
Source Name of an Application or System Service originating the event. Source Security
Type Warning, Information, Error, Success, Failure, etc. Type Success
User Domain\Account name of user/service/computer initiating event. User RESEARCH\Alebovsky
Computer Name of server workstation where event was logged. Computer DC1
EventID Numerical ID of event. Unique within one Event Source. EventId 576
Description The entire unparsed event message. Description Special privileges assigned to new logon.
Log Name The name of the event log (e.g. Application, Security, System, etc.) LogName Security
Task Category A name for a subclass of events within the same Event Source. TaskCategory
Level Warning, Information, Error, etc. Level
Keywords Audit Success, Audit Failure, Classic, Connection etc. Keywords
Category A name for an aggergative event class, corresponding to the similar ones present in Windows 2003 version. Category Account Logon
Object Name -
Whom -
Object Type -
Class Name -
Security ID -
Account Name -
Account Domain -
Local Endpoint: Principal Name InsertionString1
Local Endpoint: Network Address InsertionString9
Local Endpoint: Keying Module Port InsertionString10
Local Certificate: SHA Thumbprint InsertionString2
Local Certificate: Issuing CA InsertionString3
Local Certificate: Root CA InsertionString4
Remote Endpoint: Principal Name InsertionString5
Remote Endpoint: Network Address InsertionString11
Remote Endpoint: Keying Module Port InsertionString12
Remote Certificate: SHA Thumbprint InsertionString6
Remote Certificate: Issuing CA InsertionString7
Remote Certificate: Root CA InsertionString8
Cryptographic Information: Cipher Algorithm InsertionString13
Cryptographic Information: Integrity Algorithm InsertionString14
Cryptographic Information: Diffie-Hellman Group InsertionString15
Security Association Information: Lifetime (minutes) InsertionString16
Security Association Information: Quick Mode Limit InsertionString17
Security Association Information: Main Mode SA ID InsertionString21
Additional Information: Keying Module Name "AuthIP" AuthIP
Additional Information: Authentication Method "SSL" SSL
Additional Information: Role InsertionString18
Additional Information: Impersonation State InsertionString19
Additional Information: Main Mode Filter ID InsertionString20
Extended Mode Information: Local Principal Name InsertionString22
Extended Mode Information: Remote Principal Name InsertionString23
Extended Mode Information: Authentication Method InsertionString24
Extended Mode Information: Impersonation State InsertionString25
Extended Mode Information: Quick Mode Filter ID InsertionString26
You must be logged in to comment