Are you referring to the what events are logged on the workstation or at the VPN server or domain controller?
Are we talking about an interactive logon to console of the workstation, or once logged on to the desktop, a VPN connection back to the corporate network?
Does the VPN server integrate with AD or use it's own credentials?
Was referring to the events that get logged on the domain controller when a user logs in remotely throuh the VPN client. The VPN server does integrate with AD so the user authenticates against AD
If Cisco VPN is using Kerberos to authenticate against AD you will see 672 - authentication ticket. If it is using NTLM you will see 680.
Whenever the Windows client applies group policy you will see a network logon (540 not 528) with logon type 3 in the description.
Thank you for the information