I'm trying to gather failed login/authentication events from DC's on a 2016 Domain.
I can see 4625 Audit Failure events in the Security Logs on the Domain Controllers when a user fails to login at the log on screen.
When I try to run an application as another user and fail to login correctly I see the 4025 on the local (desktop) event log, but I can't find a corresponding event on any DC.
I've looked, but possibly missed!, for other event types/logs at the same time but can't see anything that seems to correspond to the activity.
Can someone point me to how I collect this information centrally (from DCs)?
Best Answer
When a user failed to login on a workstation or a server using domain credentials, this will usually triggers 2 type of events:
So in order to see your failed tentative on your DCs, enable success and failed Kerberos auditing capacities on your DCs using a GPO. Some help can be found here. Then I can suggest you to setup a Windows Event Collector server (source) to centralize all your events before forwarding it to your SIEM (ELK, Splunk, ArcSight, ...).