Reference:
How to check user login history
ALL RIGHTS RESERVED TO THE AUTHOR(S) OF THE ORIGINAL ARTICLE(S)
Event ID 4624 - An account was successfully logged on.
This event records every successful attempt to log on to the local computer. It includes critical information about the logon type (e.g. interactive, batch, network, or service), SID, username, network information, and more. Monitoring this particular event is crucial as the information regarding logon type is not found in DCs.
Event ID 4634 - An account was logged off.
This event signals the end of a logon session.
Event ID 4647 - User initiated logoff.
This event, like event 4634, signals that a user has logged off; however, this particular event indicates that the logon was interactive or RemoteInteractive (remote desktop).
Event ID 4625 - An account failed to log on.
is event documents every failed attempt to log on to the local computer, including information on why the logon failed (bad username, expired password, expired account, etc.) which is useful for security audits.
Event ID 4768 - A Kerberos authentication ticket (TGT) was requested.
This event is generated when the DC grants an authentication ticket (TGT). That means a user has entered the correct username and password, and their account passed status and restriction checks. If the ticket request fails (account is disabled, expired, or locked; attempt is outside of logon hours; etc.), then this event is logged as a failed logon attempt.
Event ID 4771 - Kerberos pre-authentication failed.
This event means that the ticket request failed, so this event can be considered a logon failure.
This event means that the ticket request failed, so this event can be considered a logon failure.