Highlighted
Oliver843 Honored Contributor.
Honored Contributor.
953 views

Windows Event 4625 - Missing Information

Jump to solution

Hello,

The windows event 4625 - An account failed to logon - Is missing an important field in ArcSight.

This event is generated when a user holds down shift and right clicks a program to run it as a different user and inputs an inccorect username or password.

The windows event as seen in event viewer has the below information under the subject heading:

Subject:

  • Security ID: Domain\Username
  • Account Name: Username

This information relates to the user who is logged on at the time.

Under the heading Account For Which Logon Failed:

Security ID: NULL SID

  • Account Name: Username (entered into the windows logon box when attempting to run as a different user)
  • Account Domain: Domain

The first username of the logged in user is missing from the event in arcsight (i.e. the subject username)

The connector is the version 7.7.0.8044 and the parser is version 7.7.5.8060. This is a winc connector.

Can someone please tell me if they can see this information and how i may go about capturing/parsing this into arcsight. Seems a little odd that this information would not be included.

Regards

Oliver

0 Likes
1 Solution

Accepted Solutions
Marijo Mandic Acclaimed Contributor.
Acclaimed Contributor.

Re: Windows Event 4625 - Missing Information

Jump to solution

Hello,

1) I just noted to enable "RAW" event to see temporary if the event contains the data that you need. If for example there is no such data then very likely nothing could be done by parser because information was not picked up by SmartConnector. Please disable the "RAW" event on SmartConnector as it is not needed permanently.

2) Try wit this "additional data" procedure and see if you can map the info where you needed it. "RAW" event does not need to be enabled for this to work.

3) When you do "mapping on ESM" via "additional data" procedure what happens in background that ESM send a file with mapping to this specific SmartConnector and it is applied on source (SmartConnector).

4) If you will not be able to map this using "additional data" procedure let me know by updating here with following information:
a) complete RAW event as you see it in ESM Active Channel (you can change the values to sanitize the logs)
b) note which exact information from RAW event you need
c) let me know WiNC framework and monthly parser version

Note: Based upon above info I could check in more details if something is doable easily.

Regards,

Marijo

0 Likes
5 Replies
Marijo Mandic Acclaimed Contributor.
Acclaimed Contributor.

Re: Windows Event 4625 - Missing Information

Jump to solution

Hello,

1) Enable RAW event on SmartConnector ESM Destination. Then check on ESM in RAW event column do you have information that is not mapped anywhere.
2) If you have this information, you could try following procedure to map the data:
https://community.softwaregrp.com/t5/Share-Documentation/How-to-Map-Additional-Data-from-Windows-Events-pdf/ta-p/1585389

Regards,

Marijo

0 Likes
Oliver843 Honored Contributor.
Honored Contributor.

Re: Windows Event 4625 - Missing Information

Jump to solution

Hello Marijo,

Many thanks for your reply.

I did see that article and i was hoping you'd get in touch.

I should have explained a bit more about our infrastructure:

connectors send events to Logger -> Logger Forwards events -> ESM has one connector installed receiving events from Logger.

Steps i have taken since original post:

  • Raw events enabled on the connector level
  • Raw events enabled on ESM connector
  • I can see the Raw event in the ESM with the field i need

My questions are:

  • Is there any downside to enabling RAW Event Perminently (higher toll on the connector, more space taken by the ESM?
  • Can i disable RAW Events after i have mapped the Event? I am assuming no as the mapping is taking place ESM side.

Thanks again for your help Marijo

Oliver

 

0 Likes
Marijo Mandic Acclaimed Contributor.
Acclaimed Contributor.

Re: Windows Event 4625 - Missing Information

Jump to solution

Hello,

1) I just noted to enable "RAW" event to see temporary if the event contains the data that you need. If for example there is no such data then very likely nothing could be done by parser because information was not picked up by SmartConnector. Please disable the "RAW" event on SmartConnector as it is not needed permanently.

2) Try wit this "additional data" procedure and see if you can map the info where you needed it. "RAW" event does not need to be enabled for this to work.

3) When you do "mapping on ESM" via "additional data" procedure what happens in background that ESM send a file with mapping to this specific SmartConnector and it is applied on source (SmartConnector).

4) If you will not be able to map this using "additional data" procedure let me know by updating here with following information:
a) complete RAW event as you see it in ESM Active Channel (you can change the values to sanitize the logs)
b) note which exact information from RAW event you need
c) let me know WiNC framework and monthly parser version

Note: Based upon above info I could check in more details if something is doable easily.

Regards,

Marijo

0 Likes
Oliver843 Honored Contributor.
Honored Contributor.

Re: Windows Event 4625 - Missing Information

Jump to solution

Hello Marijo,

Thanks for your help.

I followed your instructions and have mapped the information i need.

i have also disabled the raw events and the event is still being shown as needed.

Cheers for the support

0 Likes
Marijo Mandic Acclaimed Contributor.
Acclaimed Contributor.

Re: Windows Event 4625 - Missing Information

Jump to solution

Glad to hear that, you are welcome 🙂

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.