cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
czql5v
Observer
Member since: a month ago
3 weeks ago
Community Statistics
Posts 4
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎05-10-2024
Activity Feed
Topics I've Started
View All

Re: User lockout

by in Splunk Enterprise
a month ago
a month ago
Hi Deepakc, In the details of the search in Splunk I can see that there is a logon account which I search on - also a source source workstation at least 3 different ones with the eventcode=4776 and 3 different hosts which are the Domain Controllers of the domain.  I assume the hosts are where the user is attempting to validate credentials. Does this mean that the user is attempting to validate from different workstations and the validation will go to the nearest DC in the Domain.  So I assume the source workstation is where the user is attempting to login from?  Regards. ... View more

Re: User lockout

by in Splunk Enterprise
a month ago
a month ago
Hi Deepakc, The user is definitely not typing the wrong password. What happens is that his account gets locked out when he is actually logging in after he has been of his machine to get a cup of tea or something similar. When you say "if its not in the event data" what do you mean by that. Where would i see event data. I hope the above helps. Regards.     ... View more

Re: User lockout

by in Splunk Enterprise
a month ago
a month ago
Hi Deepak C Thank you so much for you kind and prompt reply. It's more than appreciated. Splunk has been setup to extract the logs and get all the needed information from AD event logs including event ID, User ID, etc, etc in order to troubleshoot any problems in ADDC such as user account lockouts etc. The image from my previous question is from a search of the users ID and in this case it pulled eventcode 4776, basically saying the account is locked out?  The question is how to I investigate how to get to the root cause and find out what is locking the account out. If you are able to help that would be of great significance as I would like to get the user up and running on Monday without any further problems. Regards. ... View more

User lockout

by in Splunk Enterprise
a month ago
a month ago
Hi All, just started a new role and not been introduced to splunk in any previous jobs, and this is completly new to me. We have a user that is constantly getting account lockout issues. All our Domain controller security logs etc are extracted into splunk every fifteen minutes. I am attempting to complete a search from the Splunk>enterprise --- New Search field but I can only extract the below information which tells me the user, source, and host and that the user has an Audit failure. Please could someone point me to how I would go about extracting the information of what machine the user is getting the account lock from. I see quite a few messages on the internet but they never say where the actual message should be input from. Is it directly into the New Search field.... Any help would be very much appreciated.     ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
3 weeks ago