1 Reply Latest reply on Mar 21, 2017 2:46 PM by jhynds

    File Share Audit Failures?

    JustinY

      We are trying to find all SMB logon failures but they do not seem to be showing up in "ObjectAuditFailure" for some reason.  We can see a lot of 5140 Audit Failures in our logs but cannot find them in LEM.  Are we missing something?

       

      Log Name:      Security

      Source:        Microsoft-Windows-Security-Auditing

      Date:          3/14/2017 11:06:36 AM

      Event ID:      5140

      Task Category: File Share

      Level:         Information

      Keywords:      Audit Failure

        • Re: File Share Audit Failures?
          jhynds

          Hi Justin,

           

          The Windows Security connector does capture the 5140 event ID, however they are not mapped to the ObjectAuditFailure event name. Could you please raise a support ticket & provide them with a log sample - we can adjust the connector to correct the mapping for you.

           

          Jamie