Getting Data In

Whitelist bad logon

New Member

I want to whitelist events when users put the password in the logon window during login.
See example below, note the *****:

An account failed to log on.

Security ID: SYSTEM
Account Name: Computer01
Account Domain: MyDomain
Logon ID: 0x3E7

Logon Type: 7

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: User
Account Domain: MyDomain

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D **************
Sub Status: 0xC000006A

Process Information:
Caller Process ID: 0x8e0D
Caller Process Name: C:\Windows\System32\svchost.exe

Network Information:
Workstation Name: Computer01
Source Network Address:
Source Port: 0

Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

My whitelist is as follows:

whitelist = EventCode = "4625" Message = "Failure\sInformation\sStatus:\s+0xc000006d"

Need assistance with coding the 0xc000006d

Thank you!

0 Karma


Hi @sswigart,
sorry but I don't understand what do you mean with "whitelist": do you want as search result all the 4625 events? or what else?
If you want to filter events to extract logFail events (EventCode=4625) you could run something like this:

index=wineventlog EventCode=4625 Message="Failure\sInformation\sStatus:\s+0xc000006d"
| table ...


0 Karma

New Member

Thank you for your suggestion.
I am trying to create a whitelist in the etc\system\local\inputs.conf file.
Still not having any success.

0 Karma


Hi @sswigart,
you can whitelist the EventCodes related to logins but in this way you exclude all the other EventCodes, I think that it's better to filter these events at search time.
Anyway, at there's an example of whitelisting Windows EventCodes.


0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!