Event Details
Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->Logon->EventID 4624 - An account was successfully logged on.
EventID 4624 - An account was successfully logged on.
Indicates that a logon session was successfully created for the user logging on to the local computer either locally or remotely.

Note:
The message contains the Logon ID, a number that is generated when a user logs on to a computer. The Logon ID is unique to that logon session until the computer is restarted, at which point the Logon ID may be reused. The Logon ID can be used to correlate a logon message with other messages, such as object access messages.

For logons that use Kerberos, the logon GUID can be used to associate a logon event on this computer with an account logon message on an authenticating computer, such as a domain controller.

For explanation of the values of some fields please refer to the corresponding links below:

Find more information about this event on ultimatewindowssecurity.com.
 

Corresponding events on other OS versions:


Windows 2003 Windows 2000
 Sample:
An account was successfully logged on.

Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Logon Information:
	Logon Type:		3
	Restricted Admin Mode:	-
	Virtual Account:		No
	Elevated Token:		Yes

Impersonation Level:		Impersonation

New Logon:
	Security ID:		ITSS\igor.ilyin
	Account Name:		igor.ilyin
	Account Domain:		ITSS.WM.ZHU.CN.QSFT
	Logon ID:		0xC6F2FBBD
	Linked Logon ID:		0x0
	Network Account Name:	-
	Network Account Domain:	-
	Logon GUID:		{941aeec7-058b-c6ea-25db-5f7682d2bacd}

Process Information:
	Process ID:		0x0
	Process Name:		-

Network Information:
	Workstation Name:	-
	Source Network Address:	10.154.12.53
	Source Port:		53384

Detailed Authentication Information:
	Logon Process:		Kerberos
	Authentication Package:	Kerberos
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The impersonation level field indicates the extent to which a process in the logon session can impersonate.

The authentication information fields provide detailed information about this specific logon request.
	- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
	- Transited services indicate which intermediate services have participated in this logon request.
	- Package name indicates which sub-protocol was used among the NTLM protocols.
	- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
===========================
Description template stored in adtschema.dll:
===========================
An account was successfully logged on.

Subject:
	Security ID:		%1
	Account Name:		%2
	Account Domain:		%3
	Logon ID:		%4

Logon Information:
	Logon Type:		%9
	Restricted Admin Mode:	%22
	Virtual Account:		%25
	Elevated Token:		%27

Impersonation Level:		%21

New Logon:
	Security ID:		%5
	Account Name:		%6
	Account Domain:		%7
	Logon ID:		%8
	Linked Logon ID:		%26
	Network Account Name:	%23
	Network Account Domain:	%24
	Logon GUID:		%13

Process Information:
	Process ID:		%17
	Process Name:		%18

Network Information:
	Workstation Name:	%12
	Source Network Address:	%19
	Source Port:		%20

Detailed Authentication Information:
	Logon Process:		%10
	Authentication Package:	%11
	Transited Services:	%14
	Package Name (NTLM only):	%15
	Key Length:		%16

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The impersonation level field indicates the extent to which a process in the logon session can impersonate.

The authentication information fields provide detailed information about this specific logon request.
	- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
	- Transited services indicate which intermediate services have participated in this logon request.
	- Package name indicates which sub-protocol was used among the NTLM protocols.
	- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows Vista (2008)
Windows 7 (2008 R2)
Windows 8 (2012)
Windows 8.1 (2012 R2)
Windows 10 (2016)
Category Logon/Logoff
Source Microsoft-Windows-Security-Auditing
TaskCategory Logon
EventId 4624
Field Matching
FieldDescriptionStored inSample Value
DateTime Date/Time of event origination in GMT format. DateTime 10.10.2000 19:00:00
Source Name of an Application or System Service originating the event. Source Security
Type Warning, Information, Error, Success, Failure, etc. Type Success
User Domain\Account name of user/service/computer initiating event. User RESEARCH\Alebovsky
Computer Name of server workstation where event was logged. Computer DC1
EventID Numerical ID of event. Unique within one Event Source. EventId 576
Description The entire unparsed event message. Description Special privileges assigned to new logon.
Log Name The name of the event log (e.g. Application, Security, System, etc.) LogName Security
Task Category A name for a subclass of events within the same Event Source. TaskCategory
Level Warning, Information, Error, etc. Level
Keywords Audit Success, Audit Failure, Classic, Connection etc. Keywords
Category A name for an aggergative event class, corresponding to the similar ones present in Windows 2003 version. Category Account Logon
Object Name -
Whom -
Object Type -
Class Name -
Security ID -
Account Name -
Account Domain -
Subject: Security ID InsertionString1 NULL SID
Subject: Account Name InsertionString2 -
Subject: Account Domain InsertionString3 -
Subject: Logon ID InsertionString4 0x0
New Logon: Security ID InsertionString5 ITSS\igor.ilyin
New Logon: Account Name InsertionString6 igor.ilyin
New Logon: Account Domain InsertionString7 ITSS.WM.ZHU.CN.QSFT
New Logon: Logon ID InsertionString8 0xC6F2FBBD
New Logon: Logon GUID InsertionString13 {941aeec7-058b-c6ea-25db-5f7682d2bacd}
Process Information: Process ID InsertionString17 0x0
Process Information: Process Name InsertionString18 -
Network Information: Workstation Name InsertionString12 -
Network Information: Source Network Address InsertionString19 10.154.12.53
Network Information: Source Port InsertionString20 53384
Detailed Authentication Information: Logon Process InsertionString10 Kerberos
Detailed Authentication Information: Authentication Package InsertionString11 Kerberos
Detailed Authentication Information: Transited Services InsertionString14 -
Detailed Authentication Information: Package Name (NTLM only) InsertionString15 -
Detailed Authentication Information: Key Length InsertionString16 0
Logon Information: Logon Type InsertionString9 3
Logon Information: Restricted Admin Mode InsertionString22 -
Logon Information: Virtual Account InsertionString25 No
Logon Information: Elevated Token InsertionString27 Yes
Impersonation Level InsertionString21 Impersonation
New Logon: Linked Logon ID InsertionString26 0x0
New Logon: Network Account Name InsertionString23 -
New Logon: Network Account Domain InsertionString24 -
Comments
You must be logged in to comment