Hello, I am looking to create a report of a search. I have a requirement of tracking user logon to window machines (Active directory). I am currently getting all the data, but I am having problems with false logons, or services using the credentials. for example, I will see people logged in at 1 am, but the logon id is 0x0, or there is an error code 000, so that most likely will be a service or something using the credentials of someone, and no one actually logging in. there are about 1500 records a day of these false logons.
I also have the requirement to track Monday - Friday from 6pm to 6am overnight, and I cant seem to get the time of recording properly in the search. Below is the search I am currently using, and help would be appreciated, thank you!
source= “wineventlog: security" EventCode=528 OR EventCode=540 OR EventCode=4624 OR
(EventCode=4776 Error_Code=0x0) NOT Account_Name=“*$” NOT Logon _Account="*$" NOT User_Name="*$'
| eval Account_Name=mvindex(Account Name, 1)
| eval User=coalesce(Account_Name, Logon_Account, Logon_account, User_Name)
| eval User=lower (User)
| table _time, User, EventCode
... View more