- pending
- Windows Server 2019
pending
From taskbar, click the Windows Start icon then click the Event viewer button.
From the left pane, navigate to Event Viewer > Windows Logs > Security to open the Security log in the center pane. The top of the security pane lists the total number of failed and successful logon attempts.
On the far right, you will see the Actions pane. Click Filter Current log to open its dialog box.
Locate the dialog box and type 4625. A failed login attempt is given the Event ID of 4625. A complete list of Event IDs can be found here . Click OK to apply the filer.
The center of the Event Viewer pane will display all failed logon attempts. If there are an unusually high number of logon attempts within a short period of time, this may suggest an attempted brute force attack. As general rule of thumb, five or more failed logon attempts per account should be investigated.
Double click on a failed logon attempt. This will display the Event Properties dialog box. This will show details about the time, date, failure reason, and information about the computer that attempted the logon. Pertinent information from this dialog box can be used to investigate the event further. You can see which username the target was trying to logon to (TargetUserName), the IP address where the logon attempt originated, the port used, and the process that initiated the event.