topic Re: Windows security logs-user account for code 4740 in All Apps and Add-ons

Windows security logs-user account for code 4740

Bill_B — Tue, 11 Mar 2014 22:14:20 GMT

Hi all,

I have a universal forwarder that is forwarding Windows security logs to my Splunk instance on a linux machine. The logs are being written to a folder on a Windows 2008R2 server that the universal forwarder is installed on.

For Windows event code 4740 (user account locked out), I would like to get the user name for the account that was locked out. However, that information does not seem to be in the log.

Does anyone know how or where I could get the user name information?

This is the info I'm currently getting from a typical security log:

03/11/2014 11:19:15 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4740
EventType=0
Type=Information
ComputerName=USWV-DC1.XXX-inc.local
TaskCategory=User Account Management
OpCode=Info
RecordNumber=608568744
Keywords=Audit Success
Message=

Thank you.

Re: Windows security logs-user account for code 4740

lukejadamec — Tue, 11 Mar 2014 22:45:43 GMT

The information you seek is in the Message field.
EventCode=4740 |table Message

Re: Windows security logs-user account for code 4740

Bill_B — Tue, 11 Mar 2014 23:21:54 GMT

Thanks. That gave me a lot more info including the account names.

Re: Windows security logs-user account for code 4740

lukejadamec — Mon, 28 Sep 2020 16:05:46 GMT

You want the second account_name.
EventCode=4740 | eval Account_Name2=mvindex(Account_Name,1) |table Account_Name2

Re: Windows security logs-user account for code 4740

afabijan — Mon, 22 Sep 2014 11:49:46 GMT

Event 4740 is recorded by the [Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit account management] policy. Please enable it and audit Success. You can create a new GPO, enable this policy and link it to domain.

After that, you will see this events in Splunk, attribute is Account_Name

Re: Windows security logs-user account for code 4740

Bill_B — Mon, 22 Sep 2014 23:25:31 GMT

Can you tell me why I am getting no information in the "Message" part of the event? The actual Windows log has message information including account name, but that info is not being displayed in the Splunk event.
Example of my Splunk event:
09/22/2014 03:31:01 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4740
EventType=0
Type=Information
ComputerName= XXX.xxxxx.XXX
TaskCategory=User Account Management
OpCode=Info
RecordNumber=346165397
Keywords=Audit Success
Message=

Re: Windows security logs-user account for code 4740

mcronkrite — Mon, 28 Sep 2020 17:43:41 GMT

Do you have Splunk_TA_Windows installed on your Indexer, and Search Head?
You need the search time extractions for the fields.

Re: Windows security logs-user account for code 4740

mcronkrite — Sun, 28 Sep 2014 17:41:42 GMT

If you are using the Splunk Windows Infrastructure App then you can run this search:

search eventtype=msad-nt6-account-lockout OR eventtype=msad-nt5-account-lockout

Re: Windows security logs-user account for code 4740

Bill_B — Mon, 29 Sep 2014 17:34:47 GMT

I have the Splunk App for Windows Infrastructure installed on the Indexer/Search Head and on the Heavy Forwarder. Do I also need Splunk Add-on for Microsoft Windows installed on the Indexer/Search Head?
Thanks.

Re: Windows security logs-user account for code 4740

mcronkrite — Mon, 28 Sep 2020 17:44:55 GMT

Splunk_TA_Windows should be on all the tiers of Splunk, and then also windows forwarders.,Splunk_TA_Windows on the Indexer and Search Head is fine as well as Windows Forwarders.

Re: Windows security logs-user account for code 4740

Bill_B — Tue, 30 Sep 2014 16:49:10 GMT

Thanks mcronkrite. I'll install the TA_Windows and see if it makes a difference.