Splunk Enterprise

can't recive EventID 4625 to MY AD



I Have a machine Windows server 2012 r2, I configure as Active directory, and I create a user (user_1, user_2) and I add a list of computers (Client_1, Client_2,...) under the domain

what I want is if a user_1 is fail to log in,  the client_1, then it sends the event code 4625 to the AD machine 


Labels (2)
Tags (1)
0 Karma


This does not appear to be a Splunk question and we're unlikely to be able to help you in any great detail on this problem.

A hint though -

Your answer will be found most likely in some Microsoft docs or forums involving Active Directory.  From what I know, if you are trying to log into a domain account on a domain joined PC, it's very difficult to make the failed logins not show up.   So something's either seriously wrong, or you are just "doing the wrong thing" like not using a domain joined pc and using a domain account.


0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...