From OSSEC Wiki
Here are samples of the event messages generated by the Routing and Remote Access service in Windows 2000 and 2003.
Event Type: Information Event Source: RemoteAccess Event Category: None Event ID: 20015 Date: 12/2/2006 Time: 9:19:16 PM User: N/A Computer: ACME-RAS-SERVER Description: The user ACME\cflavbert has connected and has been successfully authenticated on port COM15. Event Type: Information Event Source: RemoteAccess Event Category: None Event ID: 20048 Date: 12/2/2006 Time: 9:47:46 PM User: N/A Computer: ACME-RAS-SERVER Description: The user ACME\cflavbert connected on port COM15 on 12/02/2006 at 09:19pm and disconnected on 12/02/2006 at 09:47pm. The user was active for 28 minutes 30 seconds. 0 bytes were sent and 0 bytes were received. The port speed was 16800. The reason for disconnecting was user request. Event Type: Warning Event Source: RemoteAccess Event Category: None Event ID: 20187 Date: 9/24/2006 Time: 9:44:44 AM User: N/A Computer: ACME-RAS-SERVER Description: The user ojsimpson failed an authentication attempt due to the following reason: The specified user does not exist. Event Type: Warning Event Source: RemoteAccess Event Category: None Event ID: 20187 Date: 9/27/2006 Time: 7:32:52 PM User: N/A Computer: ACME-RAS-SERVER Description: The user csoley failed an authentication attempt due to the following reason: There was an authentication failure because of an unknown user name or a bad password. Event Type: Error Event Source: RemoteAccess Event Category: None Event ID: 20073 Date: 10/8/2006 Time: 9:32:21 AM User: N/A Computer: ACME-RAS-SERVER Description: The following error occurred in the Point to Point Protocol module on port: COM16, UserName: ACME\ansunn. There was an error changing the password on the domain. The password might have been too short or might have matched a previously used password. Data: 0000: c5 02 00 00 Å... Event Type: Warning Event Source: RemoteAccess Event Category: None Event ID: 20049 Date: 10/6/2006 Time: 5:09:45 AM User: N/A Computer: ACME-RAS-SERVER Description: The user connected to port COM16 has been disconnected because the authentication process did not complete within the required amount of time. Event Type: Warning Event Source: RemoteAccess Event Category: None Event ID: 20187 Date: 10/8/2006 Time: 9:32:21 AM User: N/A Computer: ACME-RAS-SERVER Description: The user ACME\ansunn failed an authentication attempt due to the following reason: A user could not change their password because the new password did not meet the requirements for this network. Event Type: Warning Event Source: RemoteAccess Event Category: None Event ID: 20187 Date: 10/8/2006 Time: 9:33:00 AM User: N/A Computer: ACME-RAS-SERVER Description: The user ACME\ansunn failed an authentication attempt due to the following reason: The user must change their password.
More information on the event IDs generated by the Routing and Remote access service in Windows can be found here and here.