Logon Event 528 Log:

This article explains about finding the user logon details using the normal event log and also how to interpret to event log details. In server side, environment it is always wise to have the user logon and logoff audits. If you check for the event log 528 under the security logs, you will find some of the positive hits. The typical 528 log entry will have the below information,

• user name
• domain
• logon id
• logon type
• logon process
• authenication package
• workstation name

In Particular, logon type is the one which needs to be paid attention.

2	Interactive	User logged on to the computer's console.
3	Network	User logged on to the computer over the network (e.g., through a drive mapping). Note: On Win2K and later systems, event ID 528 doesn't log this logon type; for network logons, Win2K and later OS versions log event ID 540 with logon type 3.
4	Batch	Batch logon (commonly logged when a COM+ server component starts up).
5	Service	Service logon (required by user accounts configured as account for services).
7	Unlock	Workstation unlocked.
8	NetworkCleartext	Network logon, but with a clear-text password. By default, Windows doesn't allow clear-text password logons unless you explicitly enable them. (However, all versions of Microsoft IIS use clear-text passwords for Basic authentication.)
9	NewCredentials	User used alternative credentials to connect to a resource on the network or used the RunAs command to start programs under a different user account.
10	RemoteInteractive	User logged on to the computer remotely using Terminal Services or Remote Desktop.
11	CachedInteractive	Domain user logged on with cached credentials. Usually logged when a traveling user logs on to a notebook with his or her domain account but no domain controller (DC) is available. Note that event ID 537, not event ID 528, logs this event.

Using the above, we can find the exact mode of logon and also the user details.

Hope the above is useful.

Thanks

Logan

Logu_microsoft@hotmail.com | 971552596187