Hi,
We currently have a standalone setup for Splunk and would like to receive alerts from Splunk when an account is locked out so that we may unlock the account manually. Company policy does not allow for auto-unlocking (health insurance sector) and users are often frustrated on when they get locked out.
Currently I have done the following:
Problems:
We've done throttling too and it doesn't seem to work 100% as what if two people are locked out simultaneously? And what term do I put to throttle?
Does anyone have similar set ups to this?
Lastly, I've noticed that running this search job/alert job takes up a lot of resources in terms of "cleaning the dispatch logs"
I use this search for a dashboard. Might be able to use this to help in your query...
index=wineventlog EventCode=4740 host=* | stats count by Account_Name | sort - count | rename Account_Name to "User Name", count to "Number of Lockouts"
PS - we use the AD addon but this is just from the event logs.