Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 20158 Source: RemoteAccess

Source
Level
Description
The user <username> successfully established a connection to <destination or %number> using the device <port, %number_dev or devicename>.
Comments
 
A new Point-to-Point Protocol (PPP) connection to this server was established. See MSW2KDB for more details.
The event is logged when a successful RAS connection has been made. Event ID 20159 occurs when we disconnect. 20159 may be logged whenever a RAS connection is broken even by the user not just an error.
<username> is the name of the user that logged on, connected to the remote network. This is not necessarily the same user as the one logged on to the local workstation.
<destination> is the name of the destination, not necessarily the same as the name of the connection.
<%number> On Windows 2000 I noticed that the connection is identified with a percent sign and a number.
<port> com1, COM2 or the like
<%number_dev> same as <%number> but now to identify the device.
<devicename> name of the device.

When you use any type of external connection, like dial up networking, vpn or direct cable connection, this message shows up when the connection was successful. So far I have only seen it on Windows 2000 and XP.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...