Common Security Log Event IDs in WS03
The following table lists some of the security log event IDs and their descriptions in Windows Server 2003. You must enable auditing to see these events in the Security log.
| Event ID | Event Description |
| 528 | Successful logon |
| 529 | Unsuccessful logon attempt |
| 530 | A logon attempt was made outside of allowed hours |
| 531 | A logon attempt was made by using a disabled account |
| 532 | A logon attempt was made with an expired account |
| 533 | The user is not allowed to log on at this computer |
| 534 | The user attempted to log on with a logon type that is not allowed, such as network, interactive, batch, service, or remote interactive |
| 535 | The password for the specified account has expired |
| 539 | An account has been locked out |
| 578 | Change in file ownership |
| 517 | Security log cleared |
| 513 | System is shut down |
| 612 | An audit policy was changed |
| 624 | User account created |
| 626 | User account enabled |
Source: Microsoft Corporation