Networks

Ok. 538 is the successful logoff message, and 540 is the successful logon message. You need to look at the Type of event these are. Here is Technet article 140714 which talks about this:

Here are the Event IDs and type designations for the most common log on and log off events:


Interactive logon Event ID 528 Type 2
Interactive logoff Event ID 538 Type 2
Network logon Event ID 528 Type 3
Net Use connection Event ID 528 Type 3 Network logoff Event ID 538 Type 3
Net use disconnection Event ID 538 Type 3
Autodisconnect Event ID 538 Type 3



When a user logs on or off the computer at the Windows NT console, the event is recorded in the Security Log. A successful log on event generates Event ID 528, Logon Type 2, and a User log off event generates Event ID 538, Logon Type 2, where Logon Type 2 indicates an interactive log on event. Double-click the event to bring up the Event Detail window, then check the Logon Type in the Description box.

The connection events are Logon Type 3, which indicates a network log on event. A successful Net Use or File Manager connection or a successful directed Net View to a Windows NT share generates Event ID 528, a successful log on event of Logon Type 3. An event is only generated by the initial connection from a particular user. Subsequent Net Views or Net Uses from the same user to the same computer do not generate any additional events unless the user has disconnected (or has been autodisconnected) from all shares.

This question was closed by the author