Windows Security Log Event ID 540
Operating Systems |
Windows Server 2000
Windows 2003 and XP
|
Category | Logon/Logoff |
Type
|
Success
|
Corresponding events
in Windows
2008 and Vista |
4624
|
540: Successful Network Logon
On this page
Event 540 gets logged when a user elsewhere on the network connects to a resource (e.g. shared folder) provided by the Server service on this computer. The Logon Type will always be 3 or 8, both of which indicate a network logon.
Logon type 3 is what you normally see. Logon Type 8 means network logon with clear text authentication. The only scenario where we've observed logon type 8 is with logons to IIS web-sites via Basic Authentication. Don't immediately sound the alarms if you see logon type 8 since most Basic Authentication is wrapped up inside an SSL session via https.
For all other logon types see event 528.
Event 540 gets logged whether the account used for logon is a local SAM account or a domain account. For all other types of logons this event is logged including
For an explanation of logon processes see event 515. For an explanation of authentication package see event 514.
Logon GUID is not documented. It is not clear what the caller user, caller process ID, transited services are about.
Source Network Address corresponds to the IP address of the Workstation Name. Source Port is the TCP port of the workstation and has dubious value.
Free Security Log Resources by Randy
- User Name: %1
- Domain: %2
- Logon ID: %3
- Logon Type: %4
- Logon Process: %5
- Authentication Package: %6
- Workstation Name: %7
The following field is not logged in Window 2000:
The following fields are not logged in Windows 2000 or XP:
- Caller User Name:
- Caller Domain:
- Caller Logon ID:
- Caller Process ID:
- Transited Services:
- Source Network Address:
- Source Port:
Supercharger Free Edition
Your entire Windows Event Collection environment on a single pane of glass.
Free.
Successful Network Logon
User Name: %1
Domain: %2
Logon ID: %3
Logon Type: %4
Logon Process: %5
Authentication Package: %6
Workstation Name: %7
Windows XP and Windows Server 2003 add:
Logon GUID:{d39697e4-34a9-b3e0-f30a-d2ba517eb4a2}
Windows Server 2003 adds these fields:
Caller User Name:-
Caller Domain:-
Caller Logon ID:-
Caller Process ID: -
Transited Services: -
Source Network Address:10.42.42.170
Source Port:3165
Top 10 Windows Security Events to Monitor
Free Tool for Windows Event Collection