Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Login Attempts And Lockout Status

thijsvl
Engager
‎12-11-2018 01:10 AM

Hello Community,

I'm new to splunk and couldn't seem to find an answer to my question.
I'm currently running a Splunk Trial for Splunk Cloud, and running a Universal Forwarder on a Test Domain Controller.
I want an overview of the failed login attempt in our whole domain(Clients and Servers)(Server authentication is handled via AD). Is this possible to do with a single forwarder on the domain controller?

For the lockout status I have a similar Question, I would like to have a Alert when a User is locked out on his Computer. Can this be done with only Universal fowarders on the Domain Controllers?

Thanks in advance!
Cheers.

Tags (1)
0 Karma
Reply

whrg
Motivator
‎12-11-2018 02:19 AM

Are you ingesting the Windows security event log from your Domain Controller?
I believe that's where you can find authentication events and lockout events.

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎12-11-2018 01:28 AM

Please check this post:
https://answers.splunk.com/answers/612498/active-directory-user-lockout-report.html

As you are a new user to Splunk Answers, you can upvote the answers/comments,
if any answer resolved your query, you can select that answer and "accept" it as the answer, so that this question will be moved to answered queue. Happy Splunking!

Reply

thijsvl
Engager
‎12-11-2018 02:13 AM

Thank you for your answer, still one thing is not clear, How to a see a difference between hosts? currently it only the name of the domain controller with a dollar sign behind it when I lockout on a client computer. i would like to see on what hosts they tried to login.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...