Solved: Why is my search no longer returning account locko...

crossap · ‎04-14-2015

Hi,

We seem have stopped receiving account lockout data since 23/03/2015

I am using the search eventtype=wineventlog-security (EventCode=644 OR EventCode=671) and it's show no new data since 23/03/2015

I have checked and the forwarders seem to be working OK from our DC's as we are getting other data from them searching host=.......

The other thing that's quite strange is that if I use the splunk app for windows infrastructure and select 1 day, I am seeing failed logins for each of the domain controllers.

Any ideas why the search is no longer pulling back the lockouts?

dolejh76 · ‎04-14-2015

Start with the source. Lock out an account and verify that it is being logged on the server. If yes then you have to look at the conf files and see if it is being blocked from being pulled into splunk. If they are not being logged on server then it is your audit policy. Check default domain policy - and any other policies hiting the DC. Start > Run > cmd > gpresult /R

As mentioned above 644 is for win 2003. EventID code changed in 2008 I think to 4740. I use the following queries for dashboards.

This should the account lockouts in last 24 hours

index=wineventlog EventCode=4740 host=* | stats count by Account_Name | sort - count | rename Account_Name to "User Name", count to "Number of Lockouts"

This show the logon source - what end devices is being used to lock them out.

index=wineventlog EventCode=4625 host=* | stats count by Account_Name,Source_Network_Address | sort - count | rename Account_Name to "User Name",Source_Network_Address to "IP Address",count to "Number of Events"

Another source clue

index=wineventlog EventCode=4771 host=* | stats count by Account_Name,Client_Address | sort limit=10 -count | rename Account_Name to "User Name", Client_Address to "IP Address", count to "Number of Events"

View solution in original post

dolejh76 · ‎04-14-2015

Start with the source. Lock out an account and verify that it is being logged on the server. If yes then you have to look at the conf files and see if it is being blocked from being pulled into splunk. If they are not being logged on server then it is your audit policy. Check default domain policy - and any other policies hiting the DC. Start > Run > cmd > gpresult /R

As mentioned above 644 is for win 2003. EventID code changed in 2008 I think to 4740. I use the following queries for dashboards.

This should the account lockouts in last 24 hours

index=wineventlog EventCode=4740 host=* | stats count by Account_Name | sort - count | rename Account_Name to "User Name", count to "Number of Lockouts"

This show the logon source - what end devices is being used to lock them out.

index=wineventlog EventCode=4625 host=* | stats count by Account_Name,Source_Network_Address | sort - count | rename Account_Name to "User Name",Source_Network_Address to "IP Address",count to "Number of Events"

Another source clue

index=wineventlog EventCode=4771 host=* | stats count by Account_Name,Client_Address | sort limit=10 -count | rename Account_Name to "User Name", Client_Address to "IP Address", count to "Number of Events"

crossap · ‎04-22-2015

Hi,

thanks for all your answers

Its strange as none of the searches are returning results but the Splunk app for windows infrastructure is returning all of the info I require.

Please consider this issue now resolved and thanks again for your assistance.

Runals · ‎04-14-2015

If you were getting events at one point and you aren't now for the same search I'd guess someone changed the domain GPO and the system is no longer configured to generate the events. Ask someone to look for those specific logs on the DCs.

.... and then ask them when they are going to upgrade since Win2k3 is going EOL 😃

Why is my search no longer returning account lockout data?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!