Re: Why I am not getting any user locked out logs ...

damode · ‎08-02-2018

I am getting WinEventLog:System logs however, I am particularly not getting any logs for User Account locked out. The event code is 4740.

I have verified from the AD server that these logs were already generated and all inputs in the inputs.conf on the AD and Windows add-on of the U.F of the AD server are enabled.

I viewed the below stanza, but it doesnt looks like its causing any issue,

    [WinEventLog://Security]
    disabled = 0
    start_from = oldest
    current_only = 0
    evt_resolve_ad_obj = 1
    checkpointInterval = 5
    blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
    blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
    index = wineventlog
    renderXml=false

Can someone please guide how I can troubleshoot this issue ?

dstaulcu · ‎08-03-2018

Is the lockout event actually in the event log on the source host?

If it is, next action is to make sure the Splunk forwarder on the Source host has the the input stanza and that there are no conflicts among possibly conflicting instances of inputs.conf.

$SplunkHome$\bin\splunk cmd btool inputs list WinEventLog://Security --debug

If the input is defined and there are no conflicting whitelist or blacklist entries inherited, next action would be to make sure you are not dropping events at the receiving tier (props/transforms).

Why I am not getting any user locked out logs Eventcode =4740 from Windows AD Server ?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases