LogsDBLogsDB
Windows logo

Windows Event ID 4625 - Failed Logon

Records failed authentication attempts to Windows systems, including the failure reason, source IP, logon type, and account information. Critical for detecting brute force attacks, password spraying, and credential stuffing

View SamplesEdit

Quick Facts

Default Path (Linux)
N/A (Windows Event Forwarding to SIEM)
Default Format
Windows Event Log (EVTX)
JSON Native
No
Rotation
Windows Event Log settings (default 20MB)

Log Example

Default format: Windows Event Log Format

Example Log Entrylog
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          1/3/2026 10:15:32 AM
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      DC01.corp.local
Description:
An account failed to log on.

Subject:
    Security ID:        S-1-0-0
    Account Name:       -
    Account Domain:     -
    Logon ID:           0x0

Logon Type:            3

Account For Which Logon Failed:
    Security ID:        S-1-0-0
    Account Name:       administrator
    Account Domain:     CORP

Failure Information:
    Failure Reason:     Unknown user name or bad password.
    Status:             0xC000006D
    Sub Status:         0xC000006A

Process Information:
    Caller Process ID:  0x0
    Caller Process Name: -

Network Information:
    Workstation Name:   ATTACKER-PC
    Source Network Address: 192.168.1.50
    Source Port:        49152

Detailed Authentication Information:
    Logon Process:      NtLmSsp
    Authentication Package: NTLM
    Transited Services: -
    Package Name (NTLM only): -
    Key Length:         0

Structure:

XML-based binary format with structured EventData fields

Paths by Platform

Available Formats

Windows Event Log Format

Default

Example:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          1/3/2026 10:15:32 AM
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      DC01.corp.local
Description:
An account failed to log on.

Subject:
    Security ID:        S-1-0-0
    Account Name:       -
    Account Domain:     -
    Logon ID:           0x0

Logon Type:            3

Account For Which Logon Failed:
    Security ID:        S-1-0-0
    Account Name:       administrator
    Account Domain:     CORP

Failure Information:
    Failure Reason:     Unknown user name or bad password.
    Status:             0xC000006D
    Sub Status:         0xC000006A

Process Information:
    Caller Process ID:  0x0
    Caller Process Name: -

Network Information:
    Workstation Name:   ATTACKER-PC
    Source Network Address: 192.168.1.50
    Source Port:        49152

Detailed Authentication Information:
    Logon Process:      NtLmSsp
    Authentication Package: NTLM
    Transited Services: -
    Package Name (NTLM only): -
    Key Length:         0

Structure:

XML-based binary format with structured EventData fields

XML Format

Example:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}"/>
    <EventID>4625</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12544</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2026-01-03T10:15:32.123456789Z"/>
    <EventRecordID>123456</EventRecordID>
    <Computer>DC01.corp.local</Computer>
  </System>
  <EventData>
    <Data Name="TargetUserName">administrator</Data>
    <Data Name="TargetDomainName">CORP</Data>
    <Data Name="Status">0xc000006d</Data>
    <Data Name="SubStatus">0xc000006a</Data>
    <Data Name="LogonType">3</Data>
    <Data Name="IpAddress">192.168.1.50</Data>
    <Data Name="IpPort">49152</Data>
    <Data Name="WorkstationName">ATTACKER-PC</Data>
    <Data Name="AuthenticationPackageName">NTLM</Data>
  </EventData>
</Event>

Structure:

Native XML representation of the event

JSON (Winlogbeat/NXLog)

Example:

{
  "event_id": 4625,
  "log_name": "Security",
  "source_name": "Microsoft-Windows-Security-Auditing",
  "computer_name": "DC01.corp.local",
  "time_created": "2026-01-03T10:15:32.123Z",
  "event_data": {
    "TargetUserName": "administrator",
    "TargetDomainName": "CORP",
    "Status": "0xc000006d",
    "SubStatus": "0xc000006a",
    "LogonType": "3",
    "IpAddress": "192.168.1.50",
    "IpPort": "49152",
    "WorkstationName": "ATTACKER-PC",
    "AuthenticationPackageName": "NTLM",
    "FailureReason": "%%2313"
  }
}

Structure:

Structured JSON from log forwarders

Fields Reference

FieldTypeDescriptionExample
EventID
integer
Event identifier (always 4625 for failed logon)4625
TimeCreated
datetime
Timestamp when the failed logon attempt occurred2026-01-03T10:15:32.123Z
Computer
string
Computer name where the failed logon was attemptedDC01.corp.local
SubjectUserSid
string
SID of the account that reported the failure (usually S-1-0-0 for network logons)S-1-0-0
SubjectUserName
string
Account name that reported the failure-
SubjectDomainName
string
Domain of the subject account-
SubjectLogonId
string
Logon ID of the subject session0x0
TargetUserSid
string
SID of the account that failed to log onS-1-0-0
TargetUserName
string
Account name that failed to log on - critical for identifying targeted accountsadministrator
TargetDomainName
string
Domain of the account that failed to log onCORP
Status
string
NTSTATUS code indicating the failure category0xC000006D
SubStatus
string
More specific NTSTATUS code providing additional failure details0xC000006A
FailureReason
string
Human-readable failure reasonUnknown user name or bad password.
LogonType
integer
Type of logon that was attempted3
IpAddress
ip
Source IP address of the failed logon attempt192.168.1.50
IpPort
integer
Source port of the failed logon attempt49152
WorkstationName
string
NetBIOS name of the source workstationATTACKER-PC
LogonProcessName
string
Name of the logon processNtLmSsp
AuthenticationPackageName
string
Authentication package used for the logon attemptNTLM
TransmittedServices
string
Services involved in S4U (Service for User) logon-
LmPackageName
string
NTLM version used (for NTLM authentication)NTLM V2
KeyLength
integer
Length of the session key (0 for failed logons)0
ProcessId
string
Process ID of the caller process0x0
ProcessName
string
Full path of the caller process-

Parsing Patterns

Grok Patterns

xml:

<Data Name="TargetUserName">%{DATA:target_username}</Data>.*<Data Name="TargetDomainName">%{DATA:target_domain}</Data>.*<Data Name="Status">%{DATA:status}</Data>.*<Data Name="SubStatus">%{DATA:sub_status}</Data>.*<Data Name="LogonType">%{INT:logon_type}</Data>.*<Data Name="IpAddress">%{IP:src_ip}</Data>

Regular Expressions

xml:

TargetUserName">(?P<target_username>[^<]+)</Data>.*TargetDomainName">(?P<target_domain>[^<]+)</Data>.*Status">(?P<status>[^<]+)</Data>.*SubStatus">(?P<sub_status>[^<]+)</Data>.*LogonType">(?P<logon_type>\d+)</Data>.*IpAddress">(?P<src_ip>[^<]+)</Data>

Collector Configurations

splunkyaml
1# Splunk search for Event ID 4625
2index=wineventlog EventCode=4625
3| stats count by TargetUserName, IpAddress, Status, SubStatus
4| sort -count
5
6# Brute force detection (5+ failures in 5 minutes)
7index=wineventlog EventCode=4625
8| bin _time span=5m
9| stats count by _time, IpAddress, TargetUserName
10| where count > 5
11
12# Password spray detection (same password across multiple accounts)
13index=wineventlog EventCode=4625 Status=0xC000006A
14| bin _time span=10m
15| stats dc(TargetUserName) as unique_users count by _time, IpAddress
16| where unique_users > 10
17
18# Failed logons by status code
19index=wineventlog EventCode=4625
20| lookup windows_status_codes.csv Status OUTPUT Description
21| stats count by Status, Description
22| sort -count
23
24# props.conf for Windows Security Events
25[WinEventLog:Security]
26TIME_FORMAT = %Y-%m-%dT%H:%M:%S
27TIME_PREFIX = TimeCreated SystemTime='
28SHOULD_LINEMERGE = false
29KV_MODE = xml

Configuration

Enable Logging

Enable auditing for failed logon attempts via Group Policy or auditpol

# Enable via auditpol (run as Administrator)
auditpol /set /subcategory:"Logon" /failure:enable

# Verify current settings
auditpol /get /subcategory:"Logon"

# Enable via Group Policy
# Computer Configuration > Windows Settings > Security Settings >
# Advanced Audit Policy Configuration > Logon/Logoff > Audit Logon
# Enable "Failure"

# Enable via PowerShell (requires restart of audit service)
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\Security" -Name "MaxSize" -Value 104857600

# Enable detailed authentication logging
auditpol /set /subcategory:"Credential Validation" /failure:enable
auditpol /set /subcategory:"Kerberos Authentication Service" /failure:enable
auditpol /set /subcategory:"Kerberos Service Ticket Operations" /failure:enable

Ensure Security log size is sufficient to retain events (minimum 100MB recommended for high-traffic systems)

Log To Syslog

Forward events to SIEM using Windows Event Forwarding or agents

# Windows Event Forwarding (WEF) subscription for 4625 events
# Create subscription XML file: 4625-subscription.xml

<?xml version="1.0" encoding="UTF-8"?>
<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
  <SubscriptionId>Failed-Logons-4625</SubscriptionId>
  <SubscriptionType>SourceInitiated</SubscriptionType>
  <Description>Collect all Event ID 4625 failed logon events</Description>
  <Enabled>true</Enabled>
  <Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>
  <Query>
    <![CDATA[
      <QueryList>
        <Query Id="0" Path="Security">
          <Select Path="Security">*[System[(EventID=4625)]]</Select>
        </Query>
      </QueryList>
    ]]>
  </Query>
  <ReadExistingEvents>false</ReadExistingEvents>
  <TransportName>HTTP</TransportName>
  <ContentFormat>Events</ContentFormat>
  <Locale Language="en-US"/>
  <LogFile>ForwardedEvents</LogFile>
  <AllowedSourceNonDomainComputers></AllowedSourceNonDomainComputers>
  <AllowedSourceDomainComputers>O:NSG:NSD:(A;;GA;;;DC)(A;;GA;;;NS)</AllowedSourceDomainComputers>
</Subscription>

# Apply subscription
wecutil cs 4625-subscription.xml

# Verify subscription
wecutil gs Failed-Logons-4625

Use Cases

Failed logon monitoring dashboard

Real-time visibility into authentication failures across the environment

TimeCreated
Computer
TargetUserName
IpAddress
Status
EventID=4625 | timechart count by Computer

Account lockout tracking

Monitor accounts being locked out due to failed attempts

TargetUserName
Status
IpAddress
EventID=4625 AND Status=0xC0000234 | stats count by TargetUserName, IpAddress

Service account health

Identify service accounts with authentication issues

TargetUserName
LogonType
Status
EventID=4625 AND LogonType IN (4, 5) | stats count by TargetUserName

Troubleshooting

Tested On

vWindows Server 2022 on Windows Server 2022
admin - 2026-01-03
vWindows Server 2019 on Windows Server 2019
admin - 2026-01-03
vWindows 11 23H2 on Windows 11
admin - 2026-01-03
vWindows 10 22H2 on Windows 10
admin - 2026-01-03
Last updated: 2026-01-03 by admin
1 contributor

Community Discussions

Help improve this documentation

Found an error or want to add more examples? Contributions are welcome!

EditReport Issue