For example:
15:00:16 WIN 2017-01-12-72 pxdwr1dv4 AUDIT_SUCCESS 4624 has been successfully login account,
Topic:
Security ID: S - 1-5-18
Account name: WIN - 72 pxdwr1dv4 $
The account domain: WORKGROUP
Login ID: 0 x3e7
5
login type:
New login:
Security ID: S - 1-5-18
Account name: SYSTEM
The account domain: NT AUTHORITY
Login ID: 0 x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process information:
The process ID: 0 x254
Process name: C: \ Windows \ System32 \ services exe
Internet information:
The name of work:
The source IP address: -
Source port: -
The authentication information in detail:
The login process: Advapi
The authentication packet: Negotiate
Shipping service: -
Packets (NTLM only) : -
The key length: 0
After create login session on the accessed computer generated the event,
"Theme" indicates the local system request login account, it's usually a service (such as Server service) or local process (such as Winlogon. Exe or Services. Exe),
Login "login type" field indicates the types, the most common type is 2 (interactive) and 3 (network),
Click "new" field will indicate the new login was created for any account, namely login account,
"Network" indicates the remote login request from where, "work the name" is not always available, and in some cases may leave as blank,
"Authentication information" field to provide detailed information about this particular login request,
- "logon GUID" can be used for the event with a KDC events associated unique identifier,
- "delivery service" indicate the direct service to participate in the login request,
- "packets," indicate the NTLM protocol used between the which child,
- "the key length" indicates the length of the session key generated, if does not request the session key this field as 0,
How to set up may turn to a single output,
Like:
<14 & gt; Jan 5 14:28:43 user-PC MSWinEventLog 1 Security 214 Thu Jan 05 14:28:43 2017 4624 Microsoft-Windows-Security-Auditing N/A N/A Success Audit user-PC 登录 已成功登录帐户, 主题: 安全 ID: S-1-0-0 帐户名: - 帐户域: - 登录 ID: 0x0 登录类型: 3 新登录: 安全 ID: S-1-5-21-2050136383-2252517615-443610419-1043 帐户名: aaa 帐户域: user-PC 登录 ID: 0x1755fca 登录 GUID: {00000000-0000-0000-0000-000000000000} 进程信息: 进程 ID: 0x0 进程名: - 网络信息: 工作站名: DESKTOP-3OKFJ12 源网络地址: - 源端口: - 详细身份验证信息: 登录进程: NtLmSsp 身份验证数据包: NTLM 传递服务: - 数据包名(仅限 NTLM): NTLM V2 密钥长度: 128 在创建登录会话后在被访问的计算机上生成此事件, "主题"字段指明本地系统上请求登录的帐户,这通常是一个服务(例如 Server 服务)或本地进程(例如 Winlogon.exe 或 Services.exe), "登录类型"字段指明发生的登录种类,最常见的类型是 2 (交互式)和 3 (网络), "新登录"字段会指明新登录是为哪个帐户创建的,即登录的帐户, "网络"字段指明远程登录请求来自哪里,"工作站名"并非总是可用,而且在某些情况下可能会留为空白, "身份验证信息"字段提供关于此特定登录请求的详细信息, -"登录 GUID"是可以用于将此事件与一个 KDC 事件关联起来的唯一标识符, -"传递服务"指明哪些直接服务参与了此登录请求, - "数据包名"指明在 NTLM 协议之间使用了哪些子协议, -"密钥长度"指明生成的会话密钥的长度,如果没有请求会话密钥则此字段为 0, 631