Not Logging Account Lockout (4740)

Elastic Stack Beats
1

I have winlogbeat installed on a few desktops and our primary domain controller with all of them pointing to a SecurityOnion server with ELK. If I clear event logs (1102) for example, the event quickly shows up in my Kibana dashboard. Account lockouts though (4740) on the domain or local user accounts do not show up at all, even though they are in my event viewer. Looking at logs in debug mode, I not see an entry in it for the event.

This is my configuration:
winlogbeat.event_logs:

  • name: Application
  • name: Security
  • name: System

I have also tried explicitly setting the event with this config:
winlogbeat.event_logs:

  • name: Application
  • name: Security
    event_id: 4740
  • name: System

This returns no events.

Any ideas? I am new to ELK and winlogbeat, so it may be something very obvious that I am missing. Any help would be appreciated.

2

Hello @Innove,

Can you add the windows version that you are running, I am asking that because the EventID might be different depending on the Window release?

Also can you try the following:

  • Remove registry file in data/
  • Restart again.

I am asking for a clear because maybe the lockout event is old end the saved pointer is after that that event.

3

@pierhugues ,

Thank you for the reply. There are two computers that I cannot get the event on: Windows Server 2016 and Windows 10 Pro. I have removed the registry file and rebooted, but I am getting the same problem.

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.