Audit logon events
Applies to
Determines whether to audit each instance of a user logging on to or logging off from a device.
Account logon events are generated on domain controllers for domain account activity and on local devices for local account activity. If both account logon and logon audit policy categories are enabled, logons that use a domain account generate a logon or logoff event on the workstation or server, and they generate an account logon event on the domain controller. Additionally, interactive logons to a member server or workstation that use a domain account generate a logon event on the domain controller as the logon scripts and policies are retrieved when a user logs on. For more info about account logon events, see Audit account logon events.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a logon attempt succeeds. Failure audits generate an audit entry when a logon attempt fails.
To set this value to No auditing, in the Properties dialog box for this policy setting, select the Define these policy settings check box and clear the Success and Failure check boxes.
For information about advanced security policy settings for logon events, see the Logon/logoff section in Advanced security audit policy settings.
Configure this audit setting
You can configure this security setting by opening the appropriate policy under Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy.
| Logon events | Description |
|---|---|
| 4624 | A user successfully logged on to a computer. For information about the type of logon, see the Logon Types table below. |
| 4625 | Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password. |
| 4634 | The logoff process was completed for a user. |
| 4647 | A user initiated the logoff process. |
| 4648 | A user successfully logged on to a computer using explicit credentials while already logged on as a different user. |
| 4779 | A user disconnected a terminal server session without logging off. |
When event 528 is logged, a logon type is also listed in the event log. The following table describes each logon type.
Audit Other System Events
Applies to
- Windows 10
- Windows Server 2016
Audit Other System Events contains Windows Firewall Service and Windows Firewall driver start and stop events, failure events for these services and Windows Firewall Service policy processing failures.
Audit Other System Events determines whether the operating system audits various system events.
The system events in this category include:
Startup and shutdown of the Windows Firewall service and driver.
Security policy processing by the Windows Firewall service.
Cryptography key file and migration operations.
Event volume: Low.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|---|---|---|---|---|---|
| Domain Controller | Yes | Yes | Yes | Yes | We recommend enabling Success and Failure auditing because you will be able to get Windows Firewall Service and Windows Firewall Driver status events. |
| Member Server | Yes | Yes | Yes | Yes | We recommend enabling Success and Failure auditing because you will be able to get Windows Firewall Service and Windows Firewall Driver status events. |
| Workstation | Yes | Yes | Yes | Yes | We recommend enabling Success and Failure auditing because you will be able to get Windows Firewall Service and Windows Firewall Driver status events. |
Events List:
5024(S): The Windows Firewall Service has started successfully.
5025(S): The Windows Firewall Service has been stopped.
5027(F): The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.
5028(F): The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.
5029(F): The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.
5030(F): The Windows Firewall Service failed to start.
5032(F): Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
5033(S): The Windows Firewall Driver has started successfully.
5034(S): The Windows Firewall Driver was stopped.
5035(F): The Windows Firewall Driver failed to start.
5037(F): The Windows Firewall Driver detected critical runtime error. Terminating.
5058(S, F): Key file operation.
5059(S, F): Key migration operation.
6400(-): BranchCache: Received an incorrectly formatted response while discovering availability of content.
6401(-): BranchCache: Received invalid data from a peer. Data discarded.
6402(-): BranchCache: The message to the hosted cache offering it data is incorrectly formatted.
6403(-): BranchCache: The hosted cache sent an incorrectly formatted response to the client.
6404(-): BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.
6405(-): BranchCache: %2 instance(s) of event id %1 occurred.
6406(-): %1 registered to Windows Firewall to control filtering for the following: %2
6408(-): Registered product %1 failed and Windows Firewall is now controlling the filtering for %2
6409(-): BranchCache: A service connection point object could not be parsed.
Audit account logon events
Applies to
Determines whether to audit each instance of a user logging on to or logging off from another device in which this device is used to validate the account.
This security setting determines whether to audit each instance of a user logging on to or logging off from another computer in which this computer is used to validate the account. Account logon events are generated when a domain user account is authenticated on a domain controller. The event is logged in the domain controller’s security log. Logon events are generated when a local user is authenticated on a local computer. The event is logged in the local security log. Account logoff events are not generated.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when an account logon attempt succeeds. Failure audits generate an audit entry when an account logon attempt fails. To set this value to No auditing, in the Properties dialog box for this policy setting, select the Define these policy settings check box and clear the Success and Failure check boxes.
Default: Success
Configure this audit setting
You can configure this security setting by opening the appropriate policy under Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy.
Audit Other Logon/Logoff Events
Applies to
- Windows 10
- Windows Server 2016
Audit Other Logon/Logoff Events determines whether Windows generates audit events for other logon or logoff events.
These other logon or logoff events include:
A Remote Desktop session connects or disconnects.
A workstation is locked or unlocked.
A screen saver is invoked or dismissed.
A replay attack is detected. This event indicates that a Kerberos request was received twice with identical information. This condition could also be caused by network misconfiguration.
A user is granted access to a wireless network. It can be either a user account or the computer account.
A user is granted access to a wired 802.1x network. It can be either a user account or the computer account.
Logon events are essential to understanding user activity and detecting potential attacks.
Event volume: Low.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|---|---|---|---|---|---|
| Domain Controller | Yes | Yes | Yes | Yes | We recommend Success auditing, to track possible Kerberos replay attacks, terminal session connect and disconnect actions, network authentication events, and some other events. Volume of these events is typically very low. Failure events will show you when requested credentials CredSSP delegation was disallowed by policy. The volume of these events is very low—typically you will not get any of these events. |
| Member Server | Yes | Yes | Yes | Yes | We recommend Success auditing, to track possible terminal session connect and disconnect actions, network authentication events, and some other events. Volume of these events is typically very low. Failure events will show you when requested credentials CredSSP delegation was disallowed by policy. The volume of these events is very low—typically you will not get any of these events. |
| Workstation | Yes | Yes | Yes | Yes | We recommend Success auditing, to track possible terminal session connect and disconnect actions, network authentication events, and some other events. Volume of these events is typically very low. Failure events will show you when requested credentials CredSSP delegation was disallowed by policy. The volume of these events is very low—typically you will not get any of these events. |
Events List:
4649(S): A replay attack was detected.
4778(S): A session was reconnected to a Window Station.
4779(S): A session was disconnected from a Window Station.
4800(S): The workstation was locked.
4801(S): The workstation was unlocked.
4802(S): The screen saver was invoked.
4803(S): The screen saver was dismissed.
5378(F): The requested credentials delegation was disallowed by policy.
5632(S): A request was made to authenticate to a wireless network.
5633(S): A request was made to authenticate to a wired network.
Event Log Security Audit Failure
Checking my event log numerous notifications similar to below, when I click on Event Log Online Help I get sent to a Page Not Found or to http://www.microsoft.com/en-ca/default.aspx or in other words NO HELP. Could someone point me in the right direction.
So far all I’ve done is a SFC /SCANNOW which came up clean. Also did dism/On-Line/Cleanup-Image/Checkhealth.
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/23/13 9:24:02 PM
Event ID: 5061
Task Category: System Integrity
Level: Information
Keywords: Audit Failure
User: N/A
Computer: Michael-HP
Description:
Cryptographic operation.
Subject:
Security ID: MICHAEL-HP\Michael
Account Name: Michael
Account Domain: MICHAEL-HP
Logon ID: 0x43A64
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: UNKNOWN
Key Name: CD1CC265-0DA0-4230-8419-CB6F808FE688
Key Type: User key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x80090016
Event Xml:
5061
0
0
12290
0
0x8010000000000000
322297
Security
Michael-HP
S-1-5-21-3164826230-1428056461-4056275214-1001
Michael
MICHAEL-HP
0x43a64
Microsoft Software Key Storage Provider
UNKNOWN
CD1CC265-0DA0-4230-8419-CB6F808FE688
%%2500
%%2480
0x80090016
