Network Event Viewer
Failed Logon Reports
As you are probably already aware, Windows writes many different event log entries related to logon failures.
Some of these events are specific to OS versions while others span multiple versions.
Logon events embed important information within the message portion of the entry that enables system administrators to track down malicious activity.
Network Event Viewer parses these messages and places the results into data tables. The result enables Network Event Viewer to:
- Create summary reports that list the number of times users attempt to logon to a domain or a computer
- Summarize different event ID messages into a single view.
- Detail all similar events into a single table.
Failed Logon Report Types
| Account logon failure summary | Parses and summarizes account logon events 672, 675 and 680. |
| Account logon failure (672) | Parses and displays all 672 event message parameters. The 'Result Code' is replaced with the Kerberos description per RFC 1510. |
| Account logon failure (675) | Parses and displays all 675 event message parameters. The 'Result Code' is replaced with the Kerberos description per RFC 1510. |
| Account logon failure (680) | Parses and displays all 680 event message parameters. The NTLM 'Error Code' is replaced with a short description. |
| Logon failure summary | Parses and summarizes logon events 529, 530, 531, 532, 533, 534, 535, 539 and 4625. |
| Logon failure (2000/XP/2003) | Parses and displays all 529, 530, 531, 532, 533, 534, 535 and 539 event message parameters. The 'Logon Type' is replaced with a short description. |
| Logon failure (Vista/2008) | Parses and displays all 4625 event message parameters. The 'Logon Type' is replaced with a short description. The NTLM 'Sub Status' is replaced with a short description. |
Failed Logon Report Screen Shots
