All Apps and Add-ons

Windows security logs-user account for code 4740

Bill_B
Communicator

Hi all,

I have a universal forwarder that is forwarding Windows security logs to my Splunk instance on a linux machine. The logs are being written to a folder on a Windows 2008R2 server that the universal forwarder is installed on.

For Windows event code 4740 (user account locked out), I would like to get the user name for the account that was locked out. However, that information does not seem to be in the log.

Does anyone know how or where I could get the user name information?

This is the info I'm currently getting from a typical security log:

03/11/2014 11:19:15 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4740
EventType=0
Type=Information
ComputerName=USWV-DC1.XXX-inc.local
TaskCategory=User Account Management
OpCode=Info
RecordNumber=608568744
Keywords=Audit Success
Message=

Thank you.

0 Karma

mcronkrite
Splunk Employee
Splunk Employee

Splunk_TA_Windows should be on all the tiers of Splunk, and then also windows forwarders.,Splunk_TA_Windows on the Indexer and Search Head is fine as well as Windows Forwarders.

0 Karma

Bill_B
Communicator

Thanks mcronkrite. I'll install the TA_Windows and see if it makes a difference.

0 Karma

mcronkrite
Splunk Employee
Splunk Employee

If you are using the Splunk Windows Infrastructure App then you can run this search:

search eventtype=msad-nt6-account-lockout OR eventtype=msad-nt5-account-lockout

0 Karma

Bill_B
Communicator

I have the Splunk App for Windows Infrastructure installed on the Indexer/Search Head and on the Heavy Forwarder. Do I also need Splunk Add-on for Microsoft Windows installed on the Indexer/Search Head?
Thanks.

0 Karma

afabijan
Explorer

Event 4740 is recorded by the [Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit account management] policy. Please enable it and audit Success. You can create a new GPO, enable this policy and link it to domain.

After that, you will see this events in Splunk, attribute is Account_Name

Bill_B
Communicator

Can you tell me why I am getting no information in the "Message" part of the event? The actual Windows log has message information including account name, but that info is not being displayed in the Splunk event.
Example of my Splunk event:
09/22/2014 03:31:01 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4740
EventType=0
Type=Information
ComputerName= XXX.xxxxx.XXX
TaskCategory=User Account Management
OpCode=Info
RecordNumber=346165397
Keywords=Audit Success
Message=

0 Karma

mcronkrite
Splunk Employee
Splunk Employee

Do you have Splunk_TA_Windows installed on your Indexer, and Search Head?
You need the search time extractions for the fields.

0 Karma

lukejadamec
Super Champion

You want the second account_name.
EventCode=4740 | eval Account_Name2=mvindex(Account_Name,1) |table Account_Name2

0 Karma

Bill_B
Communicator

Thanks. That gave me a lot more info including the account names.

0 Karma

lukejadamec
Super Champion

The information you seek is in the Message field.
EventCode=4740 |table Message

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...