Logon Event Monitoring: Workstation_Name Field Blank?

rgraber6 used Ask the Experts™
Currently monitoring forwarded event logs from a domain controller (Running Windows 2008 R2). Trying to use an IT monitoring application called SPLUNK (www.splunk.com) to do so. Specifically focused on monitoring logon events.Would like to be able to sort logon events by account_name and workstation_name fields.

The issue: When searching through the domian controller's event logs and filtering for logon events, the program is failing to define a workstation name. It often can define an account name, but the problem is that we aren't able to correlate which account name is logging into which workstation name.

Question: Why are most of the "4624" logon events ANONYMOUS LOGON's ? Is there a way to extract these desired fields out of the logs with SPLUNK, or is the data just withheld on the the Windows event logs? If so, how do we make so these fields are not hidden on these logs?

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
I monitor logon/logoff events using this method on the domain controllers:
nltest /dbflag:0x2080ffff

Open in new window

This creates a separate log, not recorded in the Event Viewer logs.

More info:

view the articles in the Microsoft Knowledge Base:
247811  How domain controllers are located in Windows

189541  Using the checked Netlogon.dll to track account lockouts

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial