Event-o-Pedia EventID 4982 - IPsec Main Mode and Extended Mode security associations were established. [2012 and higher]

	Event Details
	Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->IPsec Extended Mode->EventID 4982 - IPsec Main Mode and Extended Mode security associations were established. [2012 and higher]

EventID 4982 - IPsec Main Mode and Extended Mode security associations were established. [2012 and higher]

Find more information about this event on ultimatewindowssecurity.com.

Sample:

===========================
Description template stored in adtschema.dll:
===========================
IPsec Main Mode and Extended Mode security associations were established.

        Local Endpoint:
        Principal Name:		%1
        Network Address:
        Keying Module Port:	%9

        Local Certificate:
        SHA Thumbprint:	%2
        Issuing CA:		%3
        Root CA:		%4

        Remote Endpoint:
        Principal Name:		%5
        Network Address:	%10
        Keying Module Port:	%11

        Remote Certificate:
        SHA Thumbprint:	%6
        Issuing CA:		%7
        Root CA:		%8

        Cryptographic Information:
        Cipher Algorithm:	%12
        Integrity Algorithm:	%13
        Diffie-Hellman Group:	%14

        Security Association Information:
        Lifetime (minutes):	%15
        Quick Mode Limit:	%16
        Main Mode SA ID:	%20

        Additional Information:
        Keying Module Name:	AuthIP
        Authentication Method:	SSL
        Role:			%17
        Impersonation State:	%18
        Main Mode Filter ID:	%19

        Extended Mode Local Endpoint:
        Principal Name:		%21
        Certificate SHA Thumbprint:	%22
        Certificate Issuing CA:	%23
        Certificate Root CA:	%24

        Extended Mode Remote Endpoint:
        Principal Name:		%25
        Certificate SHA Thumbprint:	%26
        Certificate Issuing CA:	%27
        Certificate Root CA:	%28
        Extended Mode Additional Information:
        Authentication Method:	SSL
        Impersonation State:	%29
        Quick Mode Filter ID:	%30

Log Type:

Windows Event Log

Uniquely Identified By:

Log Name:

Security

Filtering Field	Equals to Value
OSVersion	Windows 8 (2012) Windows 8.1 (2012 R2) Windows 10 (2016)
Category	Logon/Logoff
Source	Microsoft-Windows-Security-Auditing
TaskCategory	IPsec Extended Mode
EventId	4982

Field Matching

Field	Description	Stored in	Sample Value
DateTime	Date/Time of event origination in GMT format.	DateTime	10.10.2000 19:00:00
Source	Name of an Application or System Service originating the event.	Source	Security
Type	Warning, Information, Error, Success, Failure, etc.	Type	Success
User	Domain\Account name of user/service/computer initiating event.	User	RESEARCH\Alebovsky
Computer	Name of server workstation where event was logged.	Computer	DC1
EventID	Numerical ID of event. Unique within one Event Source.	EventId	576
Description	The entire unparsed event message.	Description	Special privileges assigned to new logon.
Log Name	The name of the event log (e.g. Application, Security, System, etc.)	LogName	Security
Task Category	A name for a subclass of events within the same Event Source.	TaskCategory
Level	Warning, Information, Error, etc.	Level
Keywords	Audit Success, Audit Failure, Classic, Connection etc.	Keywords
Category	A name for an aggergative event class, corresponding to the similar ones present in Windows 2003 version.	Category	Account Logon
Object Name		-
Whom		-
Object Type		-
Class Name		-
Security ID		-
Account Name		-
Account Domain		-
Local Endpoint: Principal Name		InsertionString1
Local Endpoint: Keying Module Port		InsertionString9
Local Certificate: SHA Thumbprint		InsertionString2
Local Certificate: Issuing CA		InsertionString3
Local Certificate: Root CA		InsertionString4
Remote Endpoint: Principal Name		InsertionString5
Remote Endpoint: Network Address		InsertionString10
Remote Endpoint: Keying Module Port		InsertionString11
Remote Certificate: SHA Thumbprint		InsertionString6
Remote Certificate: Issuing CA		InsertionString7
Remote Certificate: Root CA		InsertionString8
Cryptographic Information: Cipher Algorithm		InsertionString12
Cryptographic Information: Integrity Algorithm		InsertionString13
Cryptographic Information: Diffie-Hellman Group		InsertionString14
Security Association Information: Lifetime (minutes)		InsertionString15
Security Association Information: Quick Mode Limit		InsertionString16
Security Association Information: Main Mode SA ID		InsertionString20
Additional Information: Keying Module Name		"AuthIP"	AuthIP
Additional Information: Authentication Method		"SSL"	SSL
Additional Information: Role		InsertionString17
Additional Information: Impersonation State		InsertionString18
Additional Information: Main Mode Filter ID		InsertionString19
Extended Mode Local Endpoint: Principal Name		InsertionString21
Extended Mode Local Endpoint: Certificate SHA Thumbprint		InsertionString22
Extended Mode Local Endpoint: Certificate Issuing CA		InsertionString23
Extended Mode Local Endpoint: Certificate Root CA		InsertionString24
Extended Mode Remote Endpoint: Principal Name		InsertionString25
Extended Mode Remote Endpoint: Certificate SHA Thumbprint		InsertionString26
Extended Mode Remote Endpoint: Certificate Issuing CA		InsertionString27
Extended Mode Remote Endpoint: Certificate Root CA		InsertionString28
Extended Mode Additional Information: Authentication Method		"SSL"	SSL
Extended Mode Additional Information: Impersonation State		InsertionString29
Extended Mode Additional Information: Quick Mode Filter ID		InsertionString30