What is Audit Failure in Event Viewer?

Audit Policy Categories

There are 9 audit policy categories and 50 audit policy subcategories in the Basic Audit Policy settings, which can be enabled or disabled accordingly. Audit policies generate events, which can be Success events, Failure events, or both. All audit policies will generate Success events; however, only a few of them will generate Failure events. Below is a list of the 9 audit policy categories;

1. Audit account logon events
2. Audit logon events
3. Audit account management
4. Audit directory service access
5. Audit object access
6. Audit policy change
7. Audit privilege use
8. Audit process tracking
9. Audit system events

As mentioned previously, audit failures usually relate to failed logon attempts, and the two most common events are; Kerberos pre-authentication failed and An account failed to log on, which are described in more detail below.

Event ID 4771 for Kerberos pre-authentication failed

This event is only generated on domain controllers and is not generated if the “Do not require Kerberos preauthentication” option is set for the account. According to Microsoft’s website, “this event generates every time the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT)”, which might occur if “the domain controller doesn’t have a certificate installed for smart card authentication, the user’s password has expired, or the wrong password was provided”. For more information about how to resolve this problem checkout the security monitoring recommendations for Event ID 4771 on Microsoft’s website.

Event ID 4625 for An account failed to log on

This event is generated when an account logon attempt failed, assuming the user was already locked out. This event will be generated on the device that was used for the logon attempt, in addition to any other relevant domain controllers and member servers. For more information about how to resolve this problem checkout the security monitoring recommendations for Event ID 4625 on Microsoft’s website.

Use the Advanced Audit Policy Configuration

There are two types of audit policies that you can configure; The Basic Audit Policy and the Advanced Audit Policy, which you can find in Security Settings\Advanced Audit Policy Configuration. There are 53 Advanced Audit Policy categories, as opposed to the 9 categories provided with the Basic Audit Policy settings. As such, it is generally recommended that you use the Advanced Audit Policy settings as they allow you to define a more granular audit policy and log only the events that are relevant to you. This is particularly helpful if you find yourself generating a large number of logs.

Alternatives to using Event Viewer

It’s worth noting that there are a number of third-party failed logon auditing solutions that will aggregate and correlate event data from a wide-range of sources, including any cloud-based services you use.

If you need to collect and analyze data from firewalls, Intrusion Prevention Systems (IPS), devices, applications, switches, routers, servers, and so on, then you would probably be better off with a SIEM solution.

However, most organizations are more interested in keeping track of user behavior, especially if their employees are accessing the network from remote locations. In which case a UBA (User Behavior Analytics) solution would be a better choice

These solutions will display a summary of all important events surrounding your privileged user accounts and sensitive data, via a centralized dashboard, and deliver real-time alerts to your inbox or mobile app.

If you’d like to see how the Lepide Data Security Platform can give you a better way to audit events in your environment, schedule a demo with one of our engineers or start your free trial today.