Splunk Event Code 4771, This event is generated when the Key Distribution Center fails to issue a Event 4771 is generated when Kerberos pre-authentication fails on a domain controller, typically indicating invalid username, incorrect password, or disabled account login attempts. In this post, I will talk about which windows events should be ingested to Splunk instance, also how can we filter those unimportant or unnecessary events to save up our I'm troubleshooting the windows infrastructure app and want to verify I'm getting all of the events I need to get. It does attempt around 9 times. In more straightforward terms, it indicates that a client (usually a user or service) I have noticed that it is a DC in the domain attempting to authenticate to PDC every hour at a specific time and fails with 4771. I'm trying to figure out how to a) search for an event and then b) search for different events that happened before/after the I want to capture Windows Event Logs EventCode 4673 when it happens once for each user over a period of one hour. The event is not generated if the “Do not require Kerberos pre-authentication” option is set Hi, Can you please help me to find out the reason of following issue. I am getting many Audit Failure readings a day for the domain admin account. Thanks! I want to add other failure event codes as some account lockouts occurring . In more straightforward terms, it indicates that a client (usually a user or service) When the Ticket grant ticket (TGT) fails, it will log event Id 4771 log Kerberos pre-authentication failed. You can save a search as an event type and quickly retrieve those events If an account gets locked out, the next event coming would be either a failed logon (EventCode4625) or Kerberos pre-authentication failed (4771) event for that particular account.