We need to add users to our (unauthenticated) internal proxy logs. Currently the proxy logs only identity the initiator by IP address.
We have DHCP and/or windows desktop logs to link the IP to a hostname. We have windows logon events which contain the hostname and user fields. Multiple users are able to log onto certain hosts and indeed might be logged on at the same time (using fast user switching).
Has anyone any advice on how to solve this problem at scale (30 million events/hour)
I have no doubt you are an enthusiast (what's not to love about splunk?! 😀), but it is curious that there are a number of accounts whose sole purpose seems to be to keep you in the top 4 karma authors. Just sayin'