Request gathering Event ID 4625 (failed logon) Case #61576
Hi LWL team,
I am requesting feature request that is from customer side require to effective monitoring end user experience monitoring.
There are irregular situation user logon failed and locked. End user report that they did not make logon failure. so System admin suspect there should be some process or application tried logon and would like to monitor logon failed event.
Below is description from case #61576
- The problem: Event ID 4625 (failed logon) is a Windows Security audit event. Windows marks it as "AuditFailure" — not as Error or Critical.
- The cause: The CID Event Type filter only has checkboxes for Critical, Error, Warning, and Information. There is no option for AuditFailure. So when the agent collects events, 4625 gets filtered out because its type doesn't match anything that's checked.
- Why 4740 works but 4625 doesn't: 4740 (account lockout) is also a Security audit event, but in this environment it's being generated on the Domain Controller where the agent is installed, and it happens to pass through. 4625 does not.
- The fix: There is no fix available through the current UI. The Event Type filter simply cannot express AuditFailure. This needs to be raised with engineering as a product gap.
-
Official comment
Hello Jay. The current Stratusphere version 6.7.0-5 should be able to collect Event ID 4625; see the following screenshots.
VM Local Event Viewer:

Connector ID setting:

Detailed Views -> Event Logs:

You already have a Support case for this this so please continue working with them to troubleshoot the issue and we'll escalate to development if needed. Thanks!
Please sign in to leave a comment.
Comments
1 comment