Jump to content


Photo

Lockout Examiner invalid logon logs

Lockout Examiner invalid logo

  • Please log in to reply
1 reply to this topic

#1 bmarohl

bmarohl

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 24 October 2017 - 10:15 PM

I was wondering if someone could help me figure out where LE is pulling logs from. 

 

I got this to try and help me figure out how / where various accounts are getting locked out from. I have numerous scripts for this scraping event logs across the environment and until recently I've always been able to find this data. So i was wondering if this could see something i didn't know to look for.

 

Sure enough when examining one of these accounts its finding all sorts of invalid logons in various locations but i can't find any logs that show it.

 

Where exactly is LE actually pull these logs from?

Attached Files

  • Attached File  LE.png   136.36KB   0 downloads


#2 jeffb

jeffb

    Advanced Member

  • Administrators
  • PipPipPip
  • 374 posts
  • Gender:Male

Posted 25 October 2017 - 12:54 PM

Hello,

 

The lockout events themselves come from the domain controller specified in the lockout (event 4740).  That event has a Caller Computer Name field within which identifies the computer which the last invalid login which caused the lockout originated from.  When you do an examination in LE, the product combs through the event logs collected from that workstation and grabs all logon failures (event 4625).  Hope that helps!

 

-Jeff






0 user(s) are reading this topic

0 members, guests, anonymous users