Windows Security Log Event ID 540

540: Successful Network Logon

On this page

• Description of this event
• Field level details
• Examples
• Discuss this event

Event 540 gets logged when a user elsewhere on the network connects to a resource (e.g. shared folder) provided by the Server service on this computer. The Logon Type will always be 3 or 8, both of which indicate a network logon.

Logon type 3 is what you normally see.  Logon Type 8 means network logon with clear text authentication.  The only scenario where we've observed logon type 8 is with logons to IIS web-sites via Basic Authentication.  Don't immediately sound the alarms if you see logon type 8 since most Basic Authentication is wrapped up inside an SSL session via https.

For all other logon types see event 528.

Event 540 gets logged whether the account used for logon is a local SAM account or a domain account. For all other types of logons this event is logged including

For an explanation of logon processes see event 515. For an explanation of authentication package see event 514.

Logon GUID is not documented. It is not clear what the caller user, caller process ID, transited services are about.

Source Network Address corresponds to the IP address of the Workstation Name. Source Port is the TCP port of the workstation and has dubious value.

Free Security Log Quick Reference Chart

Description Fields in 540 User Name: %1 Domain: %2 Logon ID: %3 Logon Type: %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 The following field is not logged in Window 2000: Logon GUID The following fields are not logged in Windows 2000 or XP: Caller User Name: Caller Domain: Caller Logon ID: Caller Process ID: Transited Services: Source Network Address: Source Port: Top 10 Events to Monitor Examples of 540 Successful Network Logon User Name: %1 Domain: %2 Logon ID: %3 Logon Type: %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Windows XP and Windows Server 2003 add: Logon GUID:{d39697e4-34a9-b3e0-f30a-d2ba517eb4a2} Windows Server 2003 adds these fields: Caller User Name:- Caller Domain:- Caller Logon ID:- Caller Process ID: - Transited Services: - Source Network Address:10.42.42.170 Source Port:3165 Keep me up-to-date on the Windows Security Log. Email*: *We will NOT share this

Training for the Windows Security Log Security Log Secrets In-Depth Training On-Site or On-Demand Security Log Resource Kit

Mini-Seminars Covering Event ID 540 Security Log Exposed: What is the Difference Between “Account Logon” and “Logon/Logoff” Events? 11 Ways to Detect System Intrusions with the Security Log

Discussions on Event ID 540 The computer name PCxxxx$ in 540 User field Layout of fields in 540 event ? Many 540/538 events during short period of time. Unexplained 540 events on W2K workstation in a domain Multiple event 540 and 538 entries