Archive

Windows security logs-user account for code 4740

Communicator

Hi all,

I have a universal forwarder that is forwarding Windows security logs to my Splunk instance on a linux machine. The logs are being written to a folder on a Windows 2008R2 server that the universal forwarder is installed on.

For Windows event code 4740 (user account locked out), I would like to get the user name for the account that was locked out. However, that information does not seem to be in the log.

Does anyone know how or where I could get the user name information?

This is the info I'm currently getting from a typical security log:

03/11/2014 11:19:15 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4740
EventType=0
Type=Information
ComputerName=USWV-DC1.XXX-inc.local
TaskCategory=User Account Management
OpCode=Info
RecordNumber=608568744
Keywords=Audit Success
Message=

Thank you.

0 Karma

Splunk Employee
Splunk Employee

Splunk_TA_Windows should be on all the tiers of Splunk, and then also windows forwarders.,Splunk_TA_Windows on the Indexer and Search Head is fine as well as Windows Forwarders.

0 Karma

Communicator

Thanks mcronkrite. I'll install the TA_Windows and see if it makes a difference.

0 Karma

Splunk Employee
Splunk Employee

If you are using the Splunk Windows Infrastructure App then you can run this search:

search eventtype=msad-nt6-account-lockout OR eventtype=msad-nt5-account-lockout

0 Karma

Communicator

I have the Splunk App for Windows Infrastructure installed on the Indexer/Search Head and on the Heavy Forwarder. Do I also need Splunk Add-on for Microsoft Windows installed on the Indexer/Search Head?
Thanks.

0 Karma

Explorer

Event 4740 is recorded by the [Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit account management] policy. Please enable it and audit Success. You can create a new GPO, enable this policy and link it to domain.

After that, you will see this events in Splunk, attribute is Account_Name

Communicator

Can you tell me why I am getting no information in the "Message" part of the event? The actual Windows log has message information including account name, but that info is not being displayed in the Splunk event.
Example of my Splunk event:
09/22/2014 03:31:01 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4740
EventType=0
Type=Information
ComputerName= XXX.xxxxx.XXX
TaskCategory=User Account Management
OpCode=Info
RecordNumber=346165397
Keywords=Audit Success
Message=

0 Karma

Splunk Employee
Splunk Employee

Do you have Splunk_TA_Windows installed on your Indexer, and Search Head?
You need the search time extractions for the fields.

0 Karma

Super Champion

You want the second account_name.
EventCode=4740 | eval Account_Name2=mvindex(Account_Name,1) |table Account_Name2

0 Karma

Communicator

Thanks. That gave me a lot more info including the account names.

0 Karma

Super Champion

The information you seek is in the Message field.
EventCode=4740 |table Message

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!