I am getting WinEventLog:System logs however, I am particularly not getting any logs for User Account locked out. The event code is 4740.
I have verified from the AD server that these logs were already generated and all inputs in the inputs.conf on the AD and Windows add-on of the U.F of the AD server are enabled.
I viewed the below stanza, but it doesnt looks like its causing any issue,
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
index = wineventlog
renderXml=false
Can someone please guide how I can troubleshoot this issue ?
Is the lockout event actually in the event log on the source host?
If it is, next action is to make sure the Splunk forwarder on the Source host has the the input stanza and that there are no conflicts among possibly conflicting instances of inputs.conf.
$SplunkHome$\bin\splunk cmd btool inputs list WinEventLog://Security --debug
If the input is defined and there are no conflicting whitelist or blacklist entries inherited, next action would be to make sure you are not dropping events at the receiving tier (props/transforms).