| Security | 20271 | Info | User connected successfully to VPN |
| Security | 20275 | Info | User disconnected from VPN |
| Security | 20276 | High | VPN authentication failed |
| Security | 20277 | High | VPN connection attempt rejected |
| Security | 20278 | High | Connection failed due to invalid credentials |
| Security | 20279 | Medium | Connection failed due to network error |
| Security | 20283 | High | L2TP/IPSec negotiation failed |
| Security | 20286 | High | SSTP tunnel failed to establish |
| Security | 20291 | Medium | User authentication method changed |
| Security | 20292 | High | User account locked out |
| Security | 6272 | Info | NPS granted access (VPN via RADIUS) |
| Security | 6273 | High | NPS denied access (VPN via RADIUS) |
| RemoteAccess/Admin | 20255 | Info | VPN client assigned IP |
| RemoteAccess/Admin | 20268 | Medium | Connection failed (timeout) |
| RemoteAccess/Admin | 20271 | Info | Connection succeeded |
| RemoteAccess/Admin | 20276 | High | Authentication failed |
| System | 7031 | High | RRAS service terminated unexpectedly |
| Security | 4100–4104 | Critical | VPN configuration changed |
| RemoteAccess/Admin | 1000 | Info | Remote Access service started |
| RemoteAccess/Admin | 1001 | Warning | Remote Access service stopped |
| RemoteAccess/Admin | 1002 | High | Routing component failed to initialize |
| RemoteAccess/Admin | 20001 | Info | VPN server started successfully |
| RemoteAccess/Admin | 20002 | Warning | VPN server stopped |
| RemoteAccess/Admin | 20200 | High | Unable to allocate IP address to VPN client |
| RemoteAccess/Admin | 20223 | Medium | PPP connection failure |
| RemoteAccess/Admin | 20224 | High | Routing table update failed |
| System | 7031 | High | Remote Access service terminated unexpectedly |
| System | 20234 | Medium | Interface disconnected unexpectedly |
| Security | 4100 | High | VPN configuration modified |
| Security | 4101 | High | VPN authentication policy updated |
| Security | 4102 | Medium | Routing table or static route modified |
| Security | 4103 | Medium | IP address assignment pool changed |
| Security | 4104 | Critical | VPN certificate binding modified |
| Security | 4719 | Critical | System audit policy changed |
| Security | 4732 | High | User added to “Network Configuration Operators” group |
| Security | 4799 | Medium | Security group membership enumerated |
| Microsoft-Windows-RemoteAccess-Server | 1000 | Info | Remote Access service (RRAS) started successfully |
| Microsoft-Windows-RemoteAccess-Server | 1001 | High | Remote Access service stopped or crashed |
| System | 7024 | High | RRAS terminated unexpectedly |
| Microsoft-Windows-RemoteAccess-Server | 1005 | Info | Configuration store updated |
| Microsoft-Windows-RemoteAccess-Server | 1010 | Medium | IPv6 routing component failed to initialize |
| Microsoft-Windows-RemoteAccess-RemoteAccessServer | 20220 | Info | VPN connection established successfully |
| Microsoft-Windows-RemoteAccess-RemoteAccessServer | 20226 | Info | VPN user disconnected |
| Microsoft-Windows-RemoteAccess-RemoteAccessServer | 20271 | High | Authentication failed for VPN user |
| Microsoft-Windows-RemoteAccess-RemoteAccessServer | 20274 | High | Connection refused — authentication error |
| Security | 6272 | Info | Network Policy Server granted access |
| Security | 6273 | High | Network Policy Server denied access |
| Microsoft-Windows-RemoteAccess-DA | 3000 | Info | DirectAccess tunnel established |
| Microsoft-Windows-RemoteAccess-DA | 3001 | Info | DirectAccess tunnel terminated |
| Microsoft-Windows-RemoteAccess-DA | 3003 | Medium | DNS64/NAT64 translation failure |
| Microsoft-Windows-RemoteAccess-DA | 3004 | High | IP-HTTPS listener failed |
| Microsoft-Windows-RemoteAccess-DA | 3010 | Critical | DirectAccess server unreachable |
| Microsoft-Windows-RemoteAccess-RoutingDomain | 4001 | Medium | Static route added or changed |
| Microsoft-Windows-RemoteAccess-RoutingDomain | 4002 | Info | Routing protocol update received |
| Microsoft-Windows-RemoteAccess-RoutingDomain | 4005 | Medium | NAT mapping failed for client |
| Microsoft-Windows-RemoteAccess-RoutingDomain | 4006 | High | Packet dropped due to policy |
| Microsoft-Windows-RemoteAccess-RoutingDomain | 4010 | High | RRAS detected duplicate IP address |
| Security | 4648 | Info | Logon attempt using explicit credentials (VPN) |
| Security | 6278 | Info | NPS granted access with certain policy |
| Security | 6279 | High | NPS denied access due to certificate issue |
| Microsoft-Windows-RemoteAccess-Server | 5000 | Info | IPsec negotiation succeeded |
| Microsoft-Windows-RemoteAccess-Server | 5001 | High | IPsec negotiation failed |
| Microsoft-Windows-RemoteAccess-Server | 5002 | High | Certificate revocation check failed |