Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 540 Source: Security

Successful Network Logon:
    User Name: <user name>
    Domain: <domain name>
    Logon ID: <logon id>
    Logon Type: <logon type>
    Logon Process: <logon process>
    Authentication Package: <authentication package>
    Workstation Name: <computer name>


Successful Network Logon:
    User Name: <user name>
    Domain: <domain name>
    Logon ID: (0x0,0x43F6E)
    Logon Type: 3
    Logon Process: <logon process>
    Authentication Package: <authentication package>

    Workstation Name:
        Logon GUID: {107e155b-e3f6-0532-996a-c0e40ed3e5f5}
        Caller User Name: -
        Caller Domain: -
        Caller Logon ID: -
        Caller Process ID: -
        Transited Services: -
        Source Network Address: <workstation ip address>
        Source Port: <port number>
This event indicates that a remote user has successfully connected from the network to a local resource on the server, generating a token for the network user. For example, mapping a drive to a network share or logging with an account whose profile has a drive mapping would generate this auditing message.

See the links to Windows Logon Types, Windows Authentication Packages and Windows Logon Processes for information about these fields. Understanding how the logon took place (through what channels) is quite important in understanding this event.

This event may also be reported for builtin accounts. Whenever a user logs in the associated builtin accounts are also logged in. The HelpAssistant account in Windows XP is one such account. Even if the Remote Assistance Service is disabled, the account will still login. This is not a potential security violation as the HelpAssistant account itself is disabled. See ME300692.
This event informs you that a logon session was created for the user. For information on the details accompanying the event (logon ID, logon GUID, etc.) see MSW2KDB.

See ME287537, ME326985, for additional information on this event.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.