I'm new to splunk and couldn't seem to find an answer to my question.
I'm currently running a Splunk Trial for Splunk Cloud, and running a Universal Forwarder on a Test Domain Controller.
I want an overview of the failed login attempt in our whole domain(Clients and Servers)(Server authentication is handled via AD). Is this possible to do with a single forwarder on the domain controller?
For the lockout status I have a similar Question, I would like to have a Alert when a User is locked out on his Computer. Can this be done with only Universal fowarders on the Domain Controllers?
Thanks in advance!
Please check this post:
As you are a new user to Splunk Answers, you can upvote the answers/comments,
if any answer resolved your query, you can select that answer and "accept" it as the answer, so that this question will be moved to answered queue. Happy Splunking!
Thank you for your answer, still one thing is not clear, How to a see a difference between hosts? currently it only the name of the domain controller with a dollar sign behind it when I lockout on a client computer. i would like to see on what hosts they tried to login.
Are you ingesting the Windows security event log from your Domain Controller?
I believe that's where you can find authentication events and lockout events.