Hi,
We seem have stopped receiving account lockout data since 23/03/2015
I am using the search eventtype=wineventlog-security (EventCode=644 OR EventCode=671) and it's show no new data since 23/03/2015
I have checked and the forwarders seem to be working OK from our DC's as we are getting other data from them searching host=.......
The other thing that's quite strange is that if I use the splunk app for windows infrastructure and select 1 day, I am seeing failed logins for each of the domain controllers.
Any ideas why the search is no longer pulling back the lockouts?
Start with the source. Lock out an account and verify that it is being logged on the server. If yes then you have to look at the conf files and see if it is being blocked from being pulled into splunk. If they are not being logged on server then it is your audit policy. Check default domain policy - and any other policies hiting the DC. Start > Run > cmd > gpresult /R
As mentioned above 644 is for win 2003. EventID code changed in 2008 I think to 4740. I use the following queries for dashboards.
This should the account lockouts in last 24 hours
index=wineventlog EventCode=4740 host=* | stats count by Account_Name | sort - count | rename Account_Name to "User Name", count to "Number of Lockouts"
This show the logon source - what end devices is being used to lock them out.
index=wineventlog EventCode=4625 host=* | stats count by Account_Name,Source_Network_Address | sort - count | rename Account_Name to "User Name",Source_Network_Address to "IP Address",count to "Number of Events"
Another source clue
index=wineventlog EventCode=4771 host=* | stats count by Account_Name,Client_Address | sort limit=10 -count | rename Account_Name to "User Name", Client_Address to "IP Address", count to "Number of Events"
Start with the source. Lock out an account and verify that it is being logged on the server. If yes then you have to look at the conf files and see if it is being blocked from being pulled into splunk. If they are not being logged on server then it is your audit policy. Check default domain policy - and any other policies hiting the DC. Start > Run > cmd > gpresult /R
As mentioned above 644 is for win 2003. EventID code changed in 2008 I think to 4740. I use the following queries for dashboards.
This should the account lockouts in last 24 hours
index=wineventlog EventCode=4740 host=* | stats count by Account_Name | sort - count | rename Account_Name to "User Name", count to "Number of Lockouts"
This show the logon source - what end devices is being used to lock them out.
index=wineventlog EventCode=4625 host=* | stats count by Account_Name,Source_Network_Address | sort - count | rename Account_Name to "User Name",Source_Network_Address to "IP Address",count to "Number of Events"
Another source clue
index=wineventlog EventCode=4771 host=* | stats count by Account_Name,Client_Address | sort limit=10 -count | rename Account_Name to "User Name", Client_Address to "IP Address", count to "Number of Events"
Hi,
thanks for all your answers
Its strange as none of the searches are returning results but the Splunk app for windows infrastructure is returning all of the info I require.
Please consider this issue now resolved and thanks again for your assistance.
If you were getting events at one point and you aren't now for the same search I'd guess someone changed the domain GPO and the system is no longer configured to generate the events. Ask someone to look for those specific logs on the DCs.
.... and then ask them when they are going to upgrade since Win2k3 is going EOL 😃
