Splunk Enterprise

Why am I unable to see the IP Address for Logon failure accounts in Windows event log information?

Explorer

When analyzing Windows event logs for logon failure events, I can see the IP address of logon failures coming in for some events, but I can't see it for some other events. Before and after logon failure events, I can see the IP, but not on failure log information. Why does the log not show IP?

thanks in advance.

1 Solution

SplunkTrust
SplunkTrust

Searching for "Windows Event code 4625" and reading through some of the results indicates several reasons why. For instance,

Source Network Address: The IP address of the computer where the user is
physically present in most cases unless this logon was initiated by a
server application acting on behalf of the user. If this logon is initiated
locally the IP address will sometimes be 127.0.0.1 instead of the local
computer's actual IP address. This field is also blank sometimes because
Microsoft says "Not every code path in Windows Server 2003 is instrumented
for IP address, so it's not always filled out."

I don't know if that applies to later versions of Windows, too, but it very, very likely does.

Also, I don't see status code "Status: 0xc000006d" in this document, but I do see substatus 0x64 which is described as "user name does not exist".

Putting all that together, I'd guess there could be

A service that's misconfigured; check the host itself for possibly more information.

A service that's configured properly and which does an authentication hop but that the credentials supplied by the user don't exist; not sure how to approach this problem because I don't know your systems/applications well enough.

Bad luck in that you hit one of the non-instrumented code paths; check the host reporting this for more information - perhaps there are other logs available.

In all cases above, you could TRY looking at all the information surrounding that time for that host and maybe get some more information, but unfortunately Splunk can't "make up information" that doesn't exist. At least not in a way that would be useful for you in this use case. 😞

View solution in original post

New Member

Unfortunately I believe this is a windows issue and not a splunk issue :(. just had this problem come up myself. Look here: http://serverfault.com/questions/379092/remote-desktop-failed-logon-event-4625-not-logging-ip-addres...

0 Karma

SplunkTrust
SplunkTrust

Searching for "Windows Event code 4625" and reading through some of the results indicates several reasons why. For instance,

Source Network Address: The IP address of the computer where the user is
physically present in most cases unless this logon was initiated by a
server application acting on behalf of the user. If this logon is initiated
locally the IP address will sometimes be 127.0.0.1 instead of the local
computer's actual IP address. This field is also blank sometimes because
Microsoft says "Not every code path in Windows Server 2003 is instrumented
for IP address, so it's not always filled out."

I don't know if that applies to later versions of Windows, too, but it very, very likely does.

Also, I don't see status code "Status: 0xc000006d" in this document, but I do see substatus 0x64 which is described as "user name does not exist".

Putting all that together, I'd guess there could be

A service that's misconfigured; check the host itself for possibly more information.

A service that's configured properly and which does an authentication hop but that the credentials supplied by the user don't exist; not sure how to approach this problem because I don't know your systems/applications well enough.

Bad luck in that you hit one of the non-instrumented code paths; check the host reporting this for more information - perhaps there are other logs available.

In all cases above, you could TRY looking at all the information surrounding that time for that host and maybe get some more information, but unfortunately Splunk can't "make up information" that doesn't exist. At least not in a way that would be useful for you in this use case. 😞

View solution in original post

New Member

what was the search that was used in splunk to look for failed log on attempts from windows logs? I'm new to splunk and need to get this info from my network.

0 Karma

Contributor

Hi mahs33,

Do you have the some sample of this log? Maybe your source do not was creating the correct log.

0 Karma

Explorer

here's sample log:

LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4625
EventType=0
Type=Information
ComputerName=abc.efg.com
TaskCategory=Logon
OpCode=Info
Keywords=Audit Failure
Message=An account failed to log on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: xxx
Account Domain: worskstation

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064

Process Information:
Caller Process ID: 0x0
Caller Process Name: -

Network Information:
Workstation Name: workstation
Network Address: -
Port: -

Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

why i can't see SID Account Name, Domain, Network Address?

0 Karma

SplunkTrust
SplunkTrust

What type of logs are you working with?

By "Can't see IP address" do you mean it's not being extracted as a field, or do you mean if you look in the actual event itself there's no IP address in those? The former may be easy to fix, the latter not so easy and may be a problem with the source data. Still, in either case it's probably fixable but we need more detail, like examples of said logs, both the ones that are OK and the ones with missing data, etc...

0 Karma

Explorer

here's the log:

LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4625
EventType=0
Type=Information
ComputerName=abc.efg.com
TaskCategory=Logon
OpCode=Info
Keywords=Audit Failure
Message=An account failed to log on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: xxx
Account Domain: worskstation

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064

Process Information:
Caller Process ID: 0x0
Caller Process Name: -

Network Information:
Workstation Name: workstation
Network Address: -
Port: -

Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

why i can't see SID Account Name, Domain, Network Address?

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!