Not Logging Account Lockout (4740)

Innove · June 29, 2018, 6:28pm

I have winlogbeat installed on a few desktops and our primary domain controller with all of them pointing to a SecurityOnion server with ELK. If I clear event logs (1102) for example, the event quickly shows up in my Kibana dashboard. Account lockouts though (4740) on the domain or local user accounts do not show up at all, even though they are in my event viewer. Looking at logs in debug mode, I not see an entry in it for the event.

This is my configuration:
winlogbeat.event_logs:

name: Application
name: Security
name: System

I have also tried explicitly setting the event with this config:
winlogbeat.event_logs:

name: Application
name: Security
event_id: 4740
name: System

This returns no events.

Any ideas? I am new to ELK and winlogbeat, so it may be something very obvious that I am missing. Any help would be appreciated.

pierhugues · June 29, 2018, 8:06pm

Hello @Innove,

Can you add the windows version that you are running, I am asking that because the EventID might be different depending on the Window release?

Also can you try the following:

Remove registry file in data/
Restart again.

I am asking for a clear because maybe the lockout event is old end the saved pointer is after that that event.

Innove · July 2, 2018, 1:46pm

@pierhugues ,

Thank you for the reply. There are two computers that I cannot get the event on: Windows Server 2016 and Windows 10 Pro. I have removed the registry file and rebooted, but I am getting the same problem.

system · July 30, 2018, 1:46pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.