Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is Windows Logs with Event Code 4625 Not appearing in Splunk Instance?

splk_user
Path Finder
‎06-16-2023 05:20 AM

Hi,

I'm experiencing an issue where logs with EventCode=4625 from Windows systems (an account failed to log on) are not appearing in my Splunk instance. I have checked the data collection and indexing settings, but still can't find these logs.

Has anyone else encountered a similar problem or have any suggestions on how to troubleshoot this? .

Thank you!

Labels (1)
Labels
0 Karma
Reply

caiosalonso
Path Finder
‎06-20-2023 05:07 AM

Could you please share with us the stanza from your inputs.conf file that you are using to monitor Windows Security logs? 

Reply

splk_user
Path Finder
‎06-20-2023 06:51 AM

yes ofcourse here it is 

splk_user_0-1687269093928.png

 

0 Karma
Reply

caiosalonso
Path Finder
‎06-20-2023 08:22 AM

Is this the only stanza you have for Windows Security? Because this one is disabled.

When you set the parameter disabled = 1 you disable the Windows Security monitor stanza. This parameter should be set as disabled = 0 so you can enable the monitor.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-16-2023 06:09 AM

Hi @splk_user,

there are two possible answer to this issue:

  • you have a whitelisting or blacklisting in inputs so you haven't these events;
  • You have an external Authentication system, so you never have logfailed events in your logs.

you can check the first choice viewing your inputs.conf and the second checking your architecture.

Ciao.

Giuseppe

Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎06-16-2023 06:42 AM

@splk_user - Also, check on one of the Windows Host, open the EventViewer on the machine and see if you see the event there or not.

Reply

splk_user
Path Finder
‎06-19-2023 08:55 AM

Yes, I have checked the Windows Host on the Event Viewer of the machine  and I have found event logs with  the event ID 4265 but they are not appearing in Splunk Instance

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-19-2023 09:02 AM

Hi @splk_user,

did you checked my questions?

Ciao.

Giuseppe

Reply

splk_user
Path Finder
‎06-20-2023 04:58 AM

Thank you @gcusello ,

But i have checked inputs.conf and the Eventcode=4625 is not blacklisted in the configuration.

and when i checked Event Viewer of the Windows host, i  found that logs with event code 4265 are generated

0 Karma
Reply

caiosalonso
Path Finder
‎06-16-2023 05:52 AM

Hi,

Are you able to share the stanza for the colletion of Windows Security logs from your inputs.conf file? Just to make sure there is not setting filtering the events.

Also, in the past I had similar issues, but It was due to the Windows Servers, that were configured to not log specific events, so I would recommend to check in the event viewer if the event 4625 is being generated.

Reply

splk_user
Path Finder
‎06-20-2023 05:00 AM

i have checked in the event viewer and the event 4625 is being generated but i still have the same problem they are not appering in splunk instance

 

0 Karma
Reply
Get Updates on the Splunk Community!

Video | Welcome Back to Smartness, Pedro

Remember Splunk Community member, Pedro Borges? If you tuned into Episode 2 of our Smartness interview series, ...

Detector Best Practices: Static Thresholds

Introduction In observability monitoring, static thresholds are used to monitor fixed, known values within ...

Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...