Domain - Failed Login attempt notification?

[Paperlantern]

I'm looking at splunk right now, however it seems almost TOO robust. Really all I want is a way to be notified if someone tries to access important accounts on the domain and fails. I realize that if anyone just mistypes the password you'll get an alert as well, but some alert is better than no alert, especially if you get a pile of them, then you know it might be a hack attempt.

An issue I am also running into is how to get the damn domain machines to log failures anyway, they just don't seem to want to. I have a small OU of computers that I am applying a test GP to, but they just don't seem to want to report anything but successes in the logs. Splunk relies on the logs in order to create its alerts, so suffice to say, Splunk has been an utter failure as of late. But mostly because I can't get the logging in WINDOWS to work. I'm sure it's just something I'm not doing right, or that I'm missing.

Another thing I don't understand is why HIGHER level policies override lower ones. If i understand this correctly, say i set the DEFAULT DOMAIN POLICY, the highest level policy, to NOT log... and then set an OU of machines a little farther in to log both successes and failures... the OU will still follow default?

Additionally, i believe our default domain policy is that all machines log successes and failures, yet, all i see are successes on EVERY machine i look at on the domain. What gives?

*facepalm*

 

[Paperlantern]

hang on, i think I figured it out, nevermind.

 

[Paperlantern]

Well, scratch that, maybe not. The logging is working on the local machine, but those logs arent being reported to the domain controller, is there a way to do this? It seems it's only picking up an event when that actual domain controller has a failed login attempt. if i log into the domain controller itself, it gets the failure of course, otherwise, nothing.

 

[Nothinman]

If it's Win7 or the server is Win2k8 can you use eventlog forwarding or subscriptions depending on whether you want push or pull?

 

[Paperlantern]

We are a mixed environment, running mostly XP however not deploying any more xp machines, so there are roughly 40 or 50 Win7 boxes. But not enough to cover the entire floor of course. it may be worth implementing this though for future use, but even as it stands, the domain controller is still 2003 as well, further crippling this as a possibility.

I just don't understand why a domain controller doesnt log the failure... the client is authenticating AGAINST the DC, why wouldn't the event be on the DC, not the local client.

 

[Nothinman]

We are a mixed environment, running mostly XP however not deploying any more xp machines, so there are roughly 40 or 50 Win7 boxes. But not enough to cover the entire floor of course. it may be worth implementing this though for future use, but even as it stands, the domain controller is still 2003 as well, further crippling this as a possibility.

I just don't understand why a domain controller doesnt log the failure... the client is authenticating AGAINST the DC, why wouldn't the event be on the DC, not the local client.

Is the file they're accessing on the DC as well? I would imagine that file server could log them as well, but the DC has no idea the file access was even attempted because once the client gets it's kerberos ticket the DC is out of the picture.

 

[Paperlantern]

Naw no file access. Just logon event. I'm trying to capture when there is a logon failure so i can create an alert that will notify the IT team if there are excessive attempts on any account, specifically "administrator".

 

[Nothinman]

Naw no file access. Just logon event. I'm trying to capture when there is a logon failure so i can create an alert that will notify the IT team if there are excessive attempts on any account, specifically "administrator".

Oh, I saw " Really all I want is a way to be notified if someone tries to access important accounts on the domain and fails." and thought that's the eventlog messages that you couldn't find.

Do you have more than 1 DC? If so, check the LOGONSERVER variable and make sure they're authenticating against the one that you're looking at. If that's all good, use gpresult to make sure your GPO is actually applying.

 

[Paperlantern]

Well after much wailing, gnashing of teeth, and banging of heads on desks, we are still in the same position. GP's are applying, we have all DC's forwarding to the Splunk box, but still, Failure Audits, ONLY log to the local machine, NOT on the domain controller. Is there a way to have failed log on attempts come into a central location so Splunk can have it forwarded to it? I cant have a forwarder on EVERY box on the network, that's a little ridiculous.