Related Answers
Download topic as PDF
Report on failed login attempts using Splunk Light
This example uses LDAP data with source type winauthentication_security. The search monitors users of a fictitious online company, called Buttercup Games, who have multiple login failures over the past 24 hours.
The data contains Windows Event Codes, such as:
- 540 Successful Network Logon
- 4624 Successful Network Logon
- 4625 Failure
- 4634 Successful Network Logoff
To search for failures, you can specify the Event Code:
sourcetype=winauthentication_security EventCode=4625
You can search for the top failed logins based on the User:
sourcetype=winauthentication_security EventCode=4625 | top User
By default, the top command will return 10 results. You can change this limit. Or, you can use the stats command to see all users with failed login attempts.
sourcetype=winauthentication_security EventCode=4625 | stats count by User
In this search, stats counts the number of failed login attempts by User. Then, you can use the where command to show only the Users who attempted and failed more than once.
sourcetype=winauthentication_security EventCode=4625 | stats count by User | where count > 1
If there are users you want to exclude, you can filter them out in the original search. For example, you may not want to include User=Administrator in your report.
sourcetype=winauthentication_security EventCode=4625 User!=Administrator | stats count by User | where count > 1
|
PREVIOUS Compare week over week results using Splunk Light |
NEXT Notify when server load reaches a threshold using Splunk Light |
This documentation applies to the following versions of Splunk® Light (Legacy): 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.1612 (cloud service only), 6.6.0, 6.6.1, 6.6.2, 6.6.3, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6
Feedback submitted, thanks!