Windows Security Log Event ID 4981

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
Category
 • Subcategory		Logon/Logoff
 • IPsec Main Mode
Type Success
Corresponding events
in Windows 2003
and before		  

4981: IPsec Main Mode and Extended Mode security associations were established

On this page

I haven't been able to produce this event. Have you? If so, please start a discussion (see above) and post a sample along with any comments you may have! Don't forget to sanitize any private information.

Free Security Log Resources by Randy

Setup PowerShell Audit Log Forwarding in 4 Minutes

 

Examples of 4981

IPsec Main Mode and Extended Mode security associations were established.

Local Endpoint:

Principal Name:  %1
Network Address: %9
Keying Module Port: %10

Local Certificate:

SHA Thumbprint: %2
Issuing CA:  %3
Root CA:  %4

Remote Endpoint:

Principal Name:  %5
Network Address: %11
Keying Module Port: %12

Remote Certificate:

SHA Thumbprint: %6
Issuing CA:  %7
Root CA:  %8

Cryptographic Information:

Cipher Algorithm: %13
Integrity Algorithm: %14
Diffie-Hellman Group: %15

Security Association Information:

Lifetime (minutes): %16
Quick Mode Limit: %17
Main Mode SA ID: %21

Additional Information:

Keying Module Name: AuthIP
Authentication Method: SSL
Role:   %18
Impersonation State: %19
Main Mode Filter ID: %20

Extended Mode Information:

Local Principal Name: %22
Remote Principal Name: %23
Authentication Method: %24
Impersonation State: %25
Quick Mode Filter ID: %26

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection

Stay up-to-date on the Latest in Cybersecurity
Sign up for the Ultimate IT Security newsletter to hear about the latest webinars, patches, CVEs, attacks, and more.
Work Email:

 

Upcoming Webinars
Additional Resources

    Go To Event ID:

    Security Log
    Quick Reference
    Chart
    Download now!