4624SecurityLogon/LogoffAn account was successfully logged on.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WORKSTATION123$
Account Domain: CORPDOMAIN
Logon ID: 0x3e7
Logon Type: 7
New Logon:
Security ID: CORPDOMAIN\john.doe
Account Name: john.doe
Account Domain: CORPDOMAIN
Logon ID: 0xf3e668
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x314
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name: WORKSTATION123
Source Network Address: 127.0.0.1
Source Port: 0
Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is logged on Vista and later machines when a user successfully logs on to Windows. The event is logged on the machine which is being accessed.
The logon type indicates how the user logged on:
2: Interactive (physical logon)
3: Network
4: Batch (scheduled task executed under this user)
5: Service (service runs under this user)
7: Unlock (workstation/server was unlocked)
8: NetworkClearText (usually used with IIS)
9: NewCredentials (allows cloning of token)
10: RemoteInteractive (RDP, terminal services, remote assistance logons)
11: CachedInteractive (logons when domain is unavailable, e.g. from laptops)
12: CachedRemoteInteractive
13: CachedUnlock
The "Source Network Address" shows the IP address from which the logon originated, usually 127.0.0.1 when the logon was a logon type 2. For remote desktop sessions, this will show the IP address of the remote host from which the RDP connection is coming.