I tried this code below but i get all the events with expire date "" .
Actually, i am only looking for the user/users who had an expire date set already but that "Account_Expire" field just changed to never in AD.
What am i missing?
EventCode=4738 Account_Expires = "<never>"
this is your search or a part of it?
if it's the full search, try to add
index=wineventlog (or the index you're using for these logs) because probably this index isn't in your default search path.
If you continue to have no results, you can debug your search cutting the second condition and watching if the field
Account_Expires is present and if there's the value you searched
If instead you don't have events with the
EventCode=4738, check in your Domain Controller if auditing is enabled.
I guess i wasn't able to make my question clear.
This is my search and I am getting the results. However, what i need is limit those results to only user that has just changed the "Account_Expires" field from a certain date to "never". For example:
In my search, if "Account_Expires" field for a user 'A' was initially "10/01/2019" and just changed to "never" in AD, I want to see that user 'A' in my search results so i can set an alert accordingly
if the eventsthat you want to display have EventCode=4738 and Account_Expires = "never", try this
index=wineventlog EventCode=4738 Account_Expires = "never"
If this search doesn't have any result you have to debug it:
index=wineventlog EventCode=4738 and check if there's
If there isn't, you have to extract it.
If there's, see the values you have and if you have the "never" value or a different one.
When you'll be sure of your search, you can display users using table command, but the first item is to debug the search.
The search you wrote does have the events with field "Account_Expires" .
However, your search or the one i wrote earlier both show all the event with "Account_Expires is "never" not the ones that where "Account_Expires just changed from a certain date to never.
i need to know the user where expire date is just changed to "never" not the ones who already had set to never.
to have the expired users you could take the Account_Expires value and check it with the current date, something like this:
index=wineventlog EventCode=4738 | eval status=if(Account_Expires="never","Never Expires",if(now()-strptime(Account_Expires,"%m/%d/%Y")>0,"OK","Account Expired") | table use status Account_Expires
Your search quarry doesn't provide what i am looking for.
If a user 'A' Account Expires on 10/01/2019:
Account_Expires = 10/01/2019
then it is changed to "never"
How can i compare a date value with a string value?
Basically, I need to know which account Expire Date is just removed and set to never.