So this lets me know that FSmith is using System1 and through a couple of days of checking I can reasonably surmise that FSmith is the dominate user of this system. Same with BJones and System2. How can I make it avoid the NULL SID entry? Is there a way to make it produce output like this:
No. Unfortunately these systems are isolated and cannot reach the internet. You can probably see the same type logs in your Windows Security Logs.
SourceName=Microsoft Windows Security Auditing