- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why is Windows Logs with Event Code 4625 Not appearing in Splunk Instance?
Hi,
I'm experiencing an issue where logs with EventCode=4625 from Windows systems (an account failed to log on) are not appearing in my Splunk instance. I have checked the data collection and indexing settings, but still can't find these logs.
Has anyone else encountered a similar problem or have any suggestions on how to troubleshoot this? .
Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you please share with us the stanza from your inputs.conf file that you are using to monitor Windows Security logs?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes ofcourse here it is
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is this the only stanza you have for Windows Security? Because this one is disabled.
When you set the parameter disabled = 1 you disable the Windows Security monitor stanza. This parameter should be set as disabled = 0 so you can enable the monitor.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![gcusello gcusello](https://community.splunk.com/legacyfs/online/avatars/553812.jpg)
![SplunkTrust SplunkTrust](/html/@E48BE65924041B382F8C3220FF058B38/rank_icons/splunk-trust-16.png)
Hi @splk_user,
there are two possible answer to this issue:
- you have a whitelisting or blacklisting in inputs so you haven't these events;
- You have an external Authentication system, so you never have logfailed events in your logs.
you can check the first choice viewing your inputs.conf and the second checking your architecture.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![SplunkTrust SplunkTrust](/html/@E48BE65924041B382F8C3220FF058B38/rank_icons/splunk-trust-16.png)
@splk_user - Also, check on one of the Windows Host, open the EventViewer on the machine and see if you see the event there or not.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I have checked the Windows Host on the Event Viewer of the machine and I have found event logs with the event ID 4265 but they are not appearing in Splunk Instance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![gcusello gcusello](https://community.splunk.com/legacyfs/online/avatars/553812.jpg)
![SplunkTrust SplunkTrust](/html/@E48BE65924041B382F8C3220FF058B38/rank_icons/splunk-trust-16.png)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you @gcusello ,
But i have checked inputs.conf and the Eventcode=4625 is not blacklisted in the configuration.
and when i checked Event Viewer of the Windows host, i found that logs with event code 4265 are generated
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Are you able to share the stanza for the colletion of Windows Security logs from your inputs.conf file? Just to make sure there is not setting filtering the events.
Also, in the past I had similar issues, but It was due to the Windows Servers, that were configured to not log specific events, so I would recommend to check in the event viewer if the event 4625 is being generated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i have checked in the event viewer and the event 4625 is being generated but i still have the same problem they are not appering in splunk instance
![](/skins/images/89D5ADE867CBAF0B5A525B7E23D83D7E/responsive_peak/images/icon_anonymous_message.png)