Splunk Enterprise

can't recive EventID 4625 to MY AD



I Have a machine Windows server 2012 r2, I configure as Active directory, and I create a user (user_1, user_2) and I add a list of computers (Client_1, Client_2,...) under the domain

what I want is if a user_1 is fail to log in,  the client_1, then it sends the event code 4625 to the AD machine 


Labels (2)
Tags (1)
0 Karma


This does not appear to be a Splunk question and we're unlikely to be able to help you in any great detail on this problem.

A hint though -

Your answer will be found most likely in some Microsoft docs or forums involving Active Directory.  From what I know, if you are trying to log into a domain account on a domain joined PC, it's very difficult to make the failed logins not show up.   So something's either seriously wrong, or you are just "doing the wrong thing" like not using a domain joined pc and using a domain account.


0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!