LogsDBLogsDB
Windows logo

Windows Event ID 4624 - Successful Logon

Records successful authentication events to Windows systems, including the logon type, authentication package, source IP, and elevated privileges. Essential for tracking user access, detecting lateral movement, and identifying anomalous authentication patterns

View SamplesEdit

Quick Facts

Default Path (Linux)
N/A (Windows Event Forwarding to SIEM)
Default Format
Windows Event Log (EVTX)
JSON Native
No
Rotation
Windows Event Log settings (default 20MB)

Log Example

Default format: Windows Event Log Format

Example Log Entrylog
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          1/3/2026 10:15:32 AM
Event ID:      4624
Task Category: Logon
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      DC01.corp.local
Description:
An account was successfully logged on.

Subject:
    Security ID:        S-1-5-18
    Account Name:       DC01$
    Account Domain:     CORP
    Logon ID:           0x3E7

Logon Information:
    Logon Type:         3
    Restricted Admin Mode: -
    Virtual Account:    No
    Elevated Token:     Yes

Impersonation Level:    Impersonation

New Logon:
    Security ID:        S-1-5-21-1234567890-1234567890-1234567890-1001
    Account Name:       jsmith
    Account Domain:     CORP
    Logon ID:           0x12345678
    Linked Logon ID:    0x0
    Network Account Name: -
    Network Account Domain: -
    Logon GUID:         {00000000-0000-0000-0000-000000000000}

Process Information:
    Process ID:         0x0
    Process Name:       -

Network Information:
    Workstation Name:   CLIENT01
    Source Network Address: 192.168.1.100
    Source Port:        49152

Detailed Authentication Information:
    Logon Process:      NtLmSsp
    Authentication Package: NTLM
    Transited Services: -
    Package Name (NTLM only): NTLM V2
    Key Length:         128

Structure:

XML-based binary format with structured EventData fields

Paths by Platform

Available Formats

Windows Event Log Format

Default

Example:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          1/3/2026 10:15:32 AM
Event ID:      4624
Task Category: Logon
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      DC01.corp.local
Description:
An account was successfully logged on.

Subject:
    Security ID:        S-1-5-18
    Account Name:       DC01$
    Account Domain:     CORP
    Logon ID:           0x3E7

Logon Information:
    Logon Type:         3
    Restricted Admin Mode: -
    Virtual Account:    No
    Elevated Token:     Yes

Impersonation Level:    Impersonation

New Logon:
    Security ID:        S-1-5-21-1234567890-1234567890-1234567890-1001
    Account Name:       jsmith
    Account Domain:     CORP
    Logon ID:           0x12345678
    Linked Logon ID:    0x0
    Network Account Name: -
    Network Account Domain: -
    Logon GUID:         {00000000-0000-0000-0000-000000000000}

Process Information:
    Process ID:         0x0
    Process Name:       -

Network Information:
    Workstation Name:   CLIENT01
    Source Network Address: 192.168.1.100
    Source Port:        49152

Detailed Authentication Information:
    Logon Process:      NtLmSsp
    Authentication Package: NTLM
    Transited Services: -
    Package Name (NTLM only): NTLM V2
    Key Length:         128

Structure:

XML-based binary format with structured EventData fields

XML Format

Example:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}"/>
    <EventID>4624</EventID>
    <Version>2</Version>
    <Level>0</Level>
    <Task>12544</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2026-01-03T10:15:32.123456789Z"/>
    <EventRecordID>123456</EventRecordID>
    <Computer>DC01.corp.local</Computer>
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-18</Data>
    <Data Name="SubjectUserName">DC01$</Data>
    <Data Name="SubjectDomainName">CORP</Data>
    <Data Name="SubjectLogonId">0x3e7</Data>
    <Data Name="TargetUserSid">S-1-5-21-1234567890-1234567890-1234567890-1001</Data>
    <Data Name="TargetUserName">jsmith</Data>
    <Data Name="TargetDomainName">CORP</Data>
    <Data Name="TargetLogonId">0x12345678</Data>
    <Data Name="LogonType">3</Data>
    <Data Name="LogonProcessName">NtLmSsp</Data>
    <Data Name="AuthenticationPackageName">NTLM</Data>
    <Data Name="WorkstationName">CLIENT01</Data>
    <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
    <Data Name="TransmittedServices">-</Data>
    <Data Name="LmPackageName">NTLM V2</Data>
    <Data Name="KeyLength">128</Data>
    <Data Name="ProcessId">0x0</Data>
    <Data Name="ProcessName">-</Data>
    <Data Name="IpAddress">192.168.1.100</Data>
    <Data Name="IpPort">49152</Data>
    <Data Name="ImpersonationLevel">%%1833</Data>
    <Data Name="ElevatedToken">%%1842</Data>
    <Data Name="VirtualAccount">%%1843</Data>
  </EventData>
</Event>

Structure:

Native XML representation of the event

JSON (Winlogbeat/NXLog)

Example:

{
  "event_id": 4624,
  "log_name": "Security",
  "source_name": "Microsoft-Windows-Security-Auditing",
  "computer_name": "DC01.corp.local",
  "time_created": "2026-01-03T10:15:32.123Z",
  "keywords": ["Audit Success"],
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "DC01$",
    "SubjectDomainName": "CORP",
    "TargetUserSid": "S-1-5-21-1234567890-1234567890-1234567890-1001",
    "TargetUserName": "jsmith",
    "TargetDomainName": "CORP",
    "TargetLogonId": "0x12345678",
    "LogonType": "3",
    "LogonProcessName": "NtLmSsp",
    "AuthenticationPackageName": "NTLM",
    "WorkstationName": "CLIENT01",
    "IpAddress": "192.168.1.100",
    "IpPort": "49152",
    "LmPackageName": "NTLM V2",
    "KeyLength": "128",
    "ElevatedToken": "%%1842",
    "ImpersonationLevel": "%%1833"
  }
}

Structure:

Structured JSON from log forwarders

Fields Reference

FieldTypeDescriptionExample
EventID
integer
Event identifier (always 4624 for successful logon)4624
TimeCreated
datetime
Timestamp when the successful logon occurred2026-01-03T10:15:32.123Z
Computer
string
Computer name where the logon occurredDC01.corp.local
SubjectUserSid
string
SID of the account that initiated the logon (machine account for network logons)S-1-5-18
SubjectUserName
string
Account name that initiated the logon processDC01$
SubjectDomainName
string
Domain of the subject accountCORP
SubjectLogonId
string
Logon ID of the subject session (for correlation)0x3E7
TargetUserSid
string
SID of the account that logged onS-1-5-21-1234567890-1234567890-1234567890-1001
TargetUserName
string
Account name that logged on - the actual user identityjsmith
TargetDomainName
string
Domain of the account that logged onCORP
TargetLogonId
string
Logon ID for the new session - use for correlating with other events0x12345678
LogonType
integer
Type of logon that was performed3
LogonProcessName
string
Name of the trusted logon processNtLmSsp
AuthenticationPackageName
string
Authentication package used for the logonNTLM
WorkstationName
string
NetBIOS name of the source workstationCLIENT01
LogonGuid
string
GUID for Kerberos logons - can correlate with DC events{F85484B2-7F9D-1234-ABCD-0123456789AB}
TransmittedServices
string
List of SPNs for S4U (Service for User) delegationHTTP/webserver.corp.local
LmPackageName
string
NTLM version used (only for NTLM authentication)NTLM V2
KeyLength
integer
Length of the session key in bits (0 for Kerberos)128
IpAddress
ip
Source IP address of the logon (for network logons)192.168.1.100
IpPort
integer
Source port of the logon connection49152
ImpersonationLevel
string
Impersonation level of the new logon session%%1833
ElevatedToken
string
Whether the logon created an elevated token (admin privileges)%%1842
VirtualAccount
string
Whether a virtual account was used (managed service accounts)%%1843
RestrictedAdminMode
string
Whether Restricted Admin mode was used (RDP without credential caching)-
ProcessId
string
Process ID that initiated the logon (hex)0x4
ProcessName
string
Full path of the process that initiated the logonC:\Windows\System32\svchost.exe
LinkedLogonId
string
Logon ID of linked logon session (for UAC split token)0x12345670

Parsing Patterns

Grok Patterns

xml:

<Data Name="TargetUserName">%{DATA:target_username}</Data>.*<Data Name="TargetDomainName">%{DATA:target_domain}</Data>.*<Data Name="TargetLogonId">%{DATA:logon_id}</Data>.*<Data Name="LogonType">%{INT:logon_type}</Data>.*<Data Name="IpAddress">%{IP:src_ip}</Data>

Regular Expressions

xml:

TargetUserName">(?P<target_username>[^<]+)</Data>.*TargetDomainName">(?P<target_domain>[^<]+)</Data>.*TargetLogonId">(?P<logon_id>[^<]+)</Data>.*LogonType">(?P<logon_type>\d+)</Data>.*IpAddress">(?P<src_ip>[^<]+)</Data>

Collector Configurations

splunkyaml
1# Splunk search for Event ID 4624
2index=wineventlog EventCode=4624
3| stats count by TargetUserName, IpAddress, LogonType, AuthenticationPackageName
4| sort -count
5
6# Exclude noisy machine account logons
7index=wineventlog EventCode=4624 NOT TargetUserName="*$"
8| stats count by TargetUserName, Computer, LogonType
9
10# RDP logons (LogonType 10)
11index=wineventlog EventCode=4624 LogonType=10
12| table _time, Computer, TargetUserName, IpAddress, AuthenticationPackageName
13
14# Detect pass-the-hash (NTLM network logon without prior interactive)
15index=wineventlog EventCode=4624 LogonType=3 AuthenticationPackageName=NTLM
16| search NOT [search index=wineventlog EventCode=4624 LogonType=2 | dedup TargetUserName | fields TargetUserName]
17| stats count by TargetUserName, IpAddress, Computer
18
19# Logons with elevated tokens (admin sessions)
20index=wineventlog EventCode=4624 ElevatedToken="%%1842"
21| stats count by TargetUserName, Computer, LogonType
22
23# Track lateral movement (network logons from internal IPs)
24index=wineventlog EventCode=4624 LogonType=3
25| where cidrmatch("10.0.0.0/8", IpAddress) OR cidrmatch("192.168.0.0/16", IpAddress)
26| stats dc(Computer) as systems_accessed by TargetUserName, IpAddress
27| where systems_accessed > 3
28
29# props.conf for Windows Security Events
30[WinEventLog:Security]
31TIME_FORMAT = %Y-%m-%dT%H:%M:%S
32TIME_PREFIX = TimeCreated SystemTime='
33SHOULD_LINEMERGE = false
34KV_MODE = xml

Configuration

Enable Logging

Enable auditing for successful logon events via Group Policy or auditpol

# Enable via auditpol (run as Administrator)
auditpol /set /subcategory:"Logon" /success:enable

# Verify current settings
auditpol /get /subcategory:"Logon"

# Enable via Group Policy
# Computer Configuration > Windows Settings > Security Settings >
# Advanced Audit Policy Configuration > Logon/Logoff > Audit Logon
# Enable "Success"

# Note: Enabling success auditing can generate high volume of events
# Consider filtering at collection time for high-traffic systems

# Enable related subcategories for complete visibility
auditpol /set /subcategory:"Special Logon" /success:enable
auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable
auditpol /set /subcategory:"Network Policy Server" /success:enable

Success logon auditing generates high volume - filter machine accounts and service logons at collection

Log To Syslog

Forward events to SIEM using Windows Event Forwarding or agents

# Windows Event Forwarding (WEF) subscription for 4624 events
# Filtering to reduce volume - only collect network and RDP logons

<?xml version="1.0" encoding="UTF-8"?>
<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
  <SubscriptionId>Successful-Logons-4624</SubscriptionId>
  <SubscriptionType>SourceInitiated</SubscriptionType>
  <Description>Collect network and RDP logon events (4624)</Description>
  <Enabled>true</Enabled>
  <Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>
  <Query>
    <![CDATA[
      <QueryList>
        <Query Id="0" Path="Security">
          <Select Path="Security">
            *[System[(EventID=4624)]]
            and
            *[EventData[Data[@Name='LogonType']='3' or Data[@Name='LogonType']='10']]
          </Select>
          <Suppress Path="Security">
            *[EventData[Data[@Name='TargetUserName'] and (Data[@Name='TargetUserName']='SYSTEM' or Data[@Name='TargetUserName']='ANONYMOUS LOGON')]]
          </Suppress>
        </Query>
      </QueryList>
    ]]>
  </Query>
  <ReadExistingEvents>false</ReadExistingEvents>
  <TransportName>HTTP</TransportName>
  <ContentFormat>Events</ContentFormat>
  <Locale Language="en-US"/>
  <LogFile>ForwardedEvents</LogFile>
  <AllowedSourceNonDomainComputers></AllowedSourceNonDomainComputers>
  <AllowedSourceDomainComputers>O:NSG:NSD:(A;;GA;;;DC)(A;;GA;;;NS)</AllowedSourceDomainComputers>
</Subscription>

# Apply subscription
wecutil cs 4624-subscription.xml

Use Cases

User activity monitoring

Track when and where users log in across the environment

TimeCreated
TargetUserName
Computer
IpAddress
LogonType
EventID=4624 AND TargetUserName!='*$' | stats count by TargetUserName, Computer

RDP session tracking

Monitor Remote Desktop connections for capacity and security

TargetUserName
Computer
IpAddress
LogonType
EventID=4624 AND LogonType=10 | stats count by TargetUserName, Computer, IpAddress

Service account usage

Track service account logons to ensure proper usage

TargetUserName
Computer
LogonType
EventID=4624 AND LogonType IN (4, 5) | stats count by TargetUserName, Computer

Authentication method analysis

Understand which authentication protocols are in use

AuthenticationPackageName
LmPackageName
EventID=4624 | stats count by AuthenticationPackageName, LmPackageName

Troubleshooting

Tested On

vWindows Server 2022 on Windows Server 2022
admin - 2026-01-03
vWindows Server 2019 on Windows Server 2019
admin - 2026-01-03
vWindows 11 23H2 on Windows 11
admin - 2026-01-03
vWindows 10 22H2 on Windows 10
admin - 2026-01-03
Last updated: 2026-01-03 by admin
1 contributor

Community Discussions

Help improve this documentation

Found an error or want to add more examples? Contributions are welcome!

EditReport Issue