I'm getting events now, but for example I've looked at the "User Logon Failures" page. It doesn't return any results in any of the sections. I haven't looked at all of them, but the first one over time seems strange to me or maybe my data is strange.
It uses this:
search eventtype=msad-failed-user-logons
so I checked that eventtype and it's based on:
eventtype=msad-nt5-failed-user-logons OR eventtype=msad-nt6-failed-user-logons
I've got only 2008 R2 so I looked at the nt6 eventtype:
eventtype=wineventlog-security EventCode=4625 user!="*$"
This doesn't produce any search results for me as is. I removed the "user" field and get plenty of results. I can't actually see any "user" fields in the data I get.. however I have a field called "Account_Name" which seems to have the information I'm looking for. So I tried this search:
eventtype=wineventlog-security EventCode=4625 Account_Name!="*$"
I seem to get the failed logon attempts that the page is trying to retrieve. So I guess my question is.. is it normal for this to not work or should I actually have a "user" field?
... View more