Splunk Search
Highlighted

Why is my search no longer returning account lockout data?

Path Finder

Hi,

We seem have stopped receiving account lockout data since 23/03/2015

I am using the search eventtype=wineventlog-security (EventCode=644 OR EventCode=671) and it's show no new data since 23/03/2015

I have checked and the forwarders seem to be working OK from our DC's as we are getting other data from them searching host=.......

The other thing that's quite strange is that if I use the splunk app for windows infrastructure and select 1 day, I am seeing failed logins for each of the domain controllers.

Any ideas why the search is no longer pulling back the lockouts?

0 Karma
Highlighted

Re: Why is my search no longer returning account lockout data?

Motivator

If you were getting events at one point and you aren't now for the same search I'd guess someone changed the domain GPO and the system is no longer configured to generate the events. Ask someone to look for those specific logs on the DCs.

.... and then ask them when they are going to upgrade since Win2k3 is going EOL 😃

0 Karma
Highlighted

Re: Why is my search no longer returning account lockout data?

Communicator

Start with the source. Lock out an account and verify that it is being logged on the server. If yes then you have to look at the conf files and see if it is being blocked from being pulled into splunk. If they are not being logged on server then it is your audit policy. Check default domain policy - and any other policies hiting the DC. Start > Run > cmd > gpresult /R

As mentioned above 644 is for win 2003. EventID code changed in 2008 I think to 4740. I use the following queries for dashboards.

This should the account lockouts in last 24 hours

index=wineventlog EventCode=4740 host=* | stats count by AccountName | sort - count | rename AccountName to "User Name", count to "Number of Lockouts"

This show the logon source - what end devices is being used to lock them out.

index=wineventlog EventCode=4625 host=* | stats count by AccountName,SourceNetworkAddress | sort - count | rename AccountName to "User Name",SourceNetworkAddress to "IP Address",count to "Number of Events"

Another source clue

index=wineventlog EventCode=4771 host=* | stats count by AccountName,ClientAddress | sort limit=10 -count | rename AccountName to "User Name", ClientAddress to "IP Address", count to "Number of Events"

View solution in original post

0 Karma
Highlighted

Re: Why is my search no longer returning account lockout data?

Path Finder

Hi,

thanks for all your answers

Its strange as none of the searches are returning results but the Splunk app for windows infrastructure is returning all of the info I require.

Please consider this issue now resolved and thanks again for your assistance.

0 Karma