All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Spotty results for "Failed Logon Activity" under "Security->Audit->User Audit"

phoferer
Engager
‎10-23-2012 10:18 PM

I had been running the Splunk App for Active Directory version 1.1.3 on our Windows Server 2008 SP2 for a couple of weeks and noticed that when I would run the "Security->User Logon Failures" screen the "Failed Logons by Username" would show several logon failures for various users as expected which is very useful information.

The issue I discovered was when I click one of the offending users the "User Audit" page often would show the "No results found. Inspect ..." Following the link, I would get to the "Search job inspector" page showing the search string used to find the data:

eventtype=msad-failed-user-logons dest_nt_domain="MYDOMAIN" user="myuser"

When I would paste this string into the search page I would indeed get no search results, but if I remove the "dest_nt_domain=MYDOMAIN" string I would get back the expected results. Checking the results I would not find a dest_nt_domain, but instead I would find a dest_nt_host instead with one of my domain controllers.

Now I believe this is kind behavior is spotty because if I fail from a Windows System I think I can get the correct response. Yesterday, I upgraded my Splunk App for Active Directory to version 1.1.4 to see if I experienced a behavioral change, but it still exhibits the same issue. I wonder if there is a way to somehow omit the dest_nt_domain from the initial search string and get uniform behavior for all of our failed logon attempts.

Reply

ragingwire
Path Finder
‎01-15-2013 09:20 AM

I'm seeing the same problem. If you remove "dest_nt_domain" or switch it with "src_nt_domain" it works.

I've opened a ticket with splunk.

Reply

scottmanderson
Engager
‎03-05-2013 02:26 PM

Any resolution to that ticket? I am trying to resolve the same issue

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...