Windows Server 2008 has introduced significant changes to the security event log events, compared to previous versions of Windows.

The first thing you will notice looking at the Event Viewer is that none of the event ID numbers are familiar. The security events were all renumbered as well as reorganized. If you have become familiar with the security event ID numbers in Windows, that knowledge has not become useless. In general, the event ID number of a security event in Windows Server 2008 is 4096 higher than the equivalent event in Windows Server 2003. For example, the logon success event, ID 528 in Windows Server 2003, has become event 4624 in Windows Server 2008 (528+4096=4624). Similarly, the system time change ...