529SecurityLogon/LogoffLogon Failure:
Reason: Unknown user name or bad password
User Name: FIRST LAST
Domain: USER-PC
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: USER-PC
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 0.0.0.0
Source Port: 0
Event 529 is logged on Windows Server 2003 (and earlier) hosts when a user attempts to login with an invalid username and/or password. The event is logged on the host where the attempted logon attempt took place.
"Logon Type" depicts the type of logon which occurred:
2: Interactive (physical logon)
3: Network
4: Batch (scheduled task executed under this user)
5: Service (service runs under this user)
7: Unlock (workstation/server was unlocked)
8: NetworkClearText (usually used with IIS)
9: NewCredentials (allows cloning of token)
10: RemoteInteractive (RDP, terminal services, remote assistance logons)
11: CachedInteractive (logons when domain is unavailable, e.g. from laptops)
12: CachedRemoteInteractive
13: CachedUnlock
The "Source Network Address" shows the IP address from which the logon originated, usually 127.0.0.1 when the logon was a logon type 2. For remote desktop sessions, this will show the IP address of the remote host from which the RDP connection is coming.