Sidecar eventid 4740 (Account locked out) is not forwarded to graylod

1. Describe your incident:
i just realized, that our AD servers doesn’t forward 4740 events to graylog. As far as I can see (all?) other events are forwarded properly.
To rule out an improper config I simplified the beats config, yet without success

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

   hosts: [""]
  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
  logs: C:\Program Files\Graylog\sidecar\logs
 - windows
   - name: Application
   - name: System
   - name: Security
   - name: DFS Replication
   - name: Directory Service
   - name: DNS Server 

2. Describe your environment:
Graylog 4.3.6
Ubuntu LTS 18

4. How can the community help?
What could cause this?
Is this a known issue?
Is there a known workaround?

Depends on the DC, ensure you have audit logging enabled on those DC’S . Would show you a picture of a windows domain controller and how to enable that but on boarding a airplane

Audit Logging is already enabled and the events are visible at the windows event log, but some events (e.g. account lockout) are not submitted to graylog, others like group membership changes are.

However, I discovered an outdated/incompatible sidecar installation on the domain controllers (v 1.0.2). Maybe that’s the issue. I’ll upgrade it to 1.2.0 and post an update afterwards

I have Sidecar 1.1.0 running on our DC and I am receiving EventID 4740 (currently working on building a script to warn user of lockout). Double check any Extractors or pipelines you have attached to the incoming messages - could they be changed or dropped? Did the newer version of Sidecar help?

So, it has been the sidecar version. After uninstall 1.0.2, reboot, install 1.2.0 on the DCs the eventid 4740 is forwarded to graylog again.


This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.