Splunk Search
Highlighted

After upgrading from Splunk 5 to 6.2.4, why is our search on failed login attempts from Windows Event Logs no longer working?

New Member

We were using an old version of Splunk (ver 5) and have since updated to the ver 6.2.4 and now our failed login attempts search string no longer works and I can't figure out why. Here is what we have:

source="WinSecurity" "EventCode=4776" AND "Audit Failure" NOT (Logon_Account="*$" OR Logon_account="*$") | eval "User_Account" = coalesce(Logon_Account,Logon_account) 
| stats count by User_Account |sort 20 -count | search count > 15

We have several domain controllers and used to get all of the logs. Now I get nothing and it was working before. The only thing I think I see is that there is no longer a field called User_Account. I have played around with it, but it won't show me the search count by user anymore. What am I doing wrong? Thanks Keith

0 Karma
Highlighted

Re: After upgrading from Splunk 5 to 6.2.4, why is our search on failed login attempts from Windows Event Logs no longer working?

Contributor

Do you get any result after just putting :

source="WinSecurity" "EventCode=4776"

If not please that means you need to provide an index name.
Refer this - http://answers.splunk.com/answers/71694/search-without-index-not-working.html

0 Karma
Highlighted

Re: After upgrading from Splunk 5 to 6.2.4, why is our search on failed login attempts from Windows Event Logs no longer working?

New Member

Yes I get 6K results, but I want to see just the ones that are over 15 times in a hr

0 Karma
Highlighted

Re: After upgrading from Splunk 5 to 6.2.4, why is our search on failed login attempts from Windows Event Logs no longer working?

Contributor

add as - for hourly buckets
|bucket _time span=1h |

Also if this filed is not available "User_Account", on which field do you want the stats to run?

0 Karma
Highlighted

Re: After upgrading from Splunk 5 to 6.2.4, why is our search on failed login attempts from Windows Event Logs no longer working?

Contributor

If the field is not available, extract it.

0 Karma
Highlighted

Re: After upgrading from Splunk 5 to 6.2.4, why is our search on failed login attempts from Windows Event Logs no longer working?

Contributor

The inputs.conf format for Windows eventlogs changed from splunk v5 to splunk v6. Did you uprade the version of the UF on your domain controller? If so, you'll have to use the new inputs.conf format on them which is included in the newest SplunkTAwindows.

0 Karma