Archive
Highlighted

Login Attempts And Lockout Status

Engager

Hello Community,

I'm new to splunk and couldn't seem to find an answer to my question.
I'm currently running a Splunk Trial for Splunk Cloud, and running a Universal Forwarder on a Test Domain Controller.
I want an overview of the failed login attempt in our whole domain(Clients and Servers)(Server authentication is handled via AD). Is this possible to do with a single forwarder on the domain controller?

For the lockout status I have a similar Question, I would like to have a Alert when a User is locked out on his Computer. Can this be done with only Universal fowarders on the Domain Controllers?

Thanks in advance!
Cheers.

Tags (1)
0 Karma
Highlighted

Re: Login Attempts And Lockout Status

Champion

Please check this post:
https://answers.splunk.com/answers/612498/active-directory-user-lockout-report.html

As you are a new user to Splunk Answers, you can upvote the answers/comments,
if any answer resolved your query, you can select that answer and "accept" it as the answer, so that this question will be moved to answered queue. Happy Splunking!

Highlighted

Re: Login Attempts And Lockout Status

Engager

Thank you for your answer, still one thing is not clear, How to a see a difference between hosts? currently it only the name of the domain controller with a dollar sign behind it when I lockout on a client computer. i would like to see on what hosts they tried to login.

0 Karma
Highlighted

Re: Login Attempts And Lockout Status

Motivator

Are you ingesting the Windows security event log from your Domain Controller?
I believe that's where you can find authentication events and lockout events.

0 Karma