What Is It?
This event is created when a new local session is created for either a local or remote interactive login.
- Event Log: Terminal Services – Local Session Manager
- Event ID: 21
- Event Description: “Session logon succeeded”
The Local Session Manager is responsible for creating or finding existing local sessions to support interactive logins. Note that local sessions are different from logon sessions. Local sessions represent the logon sessions, desktop layout, processes, etc. associated with an interactive logon. Learn more about sessions here.
This event is in the Inbound Logon artifact family. It is related to both incoming Windows RDP connections and local interactive logins.
When Does It Get Created?
This event is created when a new local session needs to be created. That happens after a user successfully authenticates for a local or remote interactive logon session and the user does not already have an existing local session.
- After a user logs out (not just a disconnect), then the next login for each user will create this event.
- After a system restart, then the first login for each user will create this event.
What Data Is Stored?
This event has three fields of interest:
- Timestamp of when the successful login occurred
- User and domain name for the account being logged into
- Remote IP address if it is a remote interactive session or “LOCAL” if it’s a local interactive session
Relevance to DFIR?
This entry will show you when a user logged into the system. It has the same information as other events, such as:
But, these events are all in different event log files and could cycle at different rates. So, you may find this event even if the others have been overwritten or deleted.
Usage in Cyber Triage
Cyber Triage collects and parses the Local Session Manager event log. It uses this event to determine when a logon session started. You can see that in the Sources tab of a Cyber Triage Logon Session.