With the prevalance of brute force security attempts, it is not uncommon to see EventID 529 appear often in the security logs. When a failed logon attempt is made on the network, the security logs note down the Logon Type among other information. I use this resource quite often – http://www.windowsecurity.com/articles/Logon-Types.html to work out what the codes actually mean.
The above resource lists the various logon codes with explanations of what they are.
The most common codesI have seen are:
- Logon Type 2 – Interactive – when someone attempts to logon to the server console.
- Logon Type 3 – Network – when failed attempts are made inside the network to shared resources on the server. These errors coupled with IIS attempts could also mean attempts are being made on the SMTP service or HTTPS service. Unfortunately, no IP data is logged on these types of attempts. This has to be manually found from the SMTP or Web logs.
- Logon Type 10 – RemoteInteractive – Attempted logins to Remote Desktop or Terminal Services. This is often accompanied by useful IP information, which can be used to isolate the offending attacker.
The other codes are described in the article.
One thought on “Logon Type Codes in the Security Logs”
A nice tool for finding is from the Account Lockout and Management Tools.