troubleshooting Question

Logon Event Monitoring: Workstation_Name Field Blank?

Avatar of rgraber6
rgraber6 asked on
Network AnalysisMicrosoft Legacy OSIT Administration
1 Comment1 Solution976 ViewsLast Modified:
Currently monitoring forwarded event logs from a domain controller (Running Windows 2008 R2). Trying to use an IT monitoring application called SPLUNK ( to do so. Specifically focused on monitoring logon events.Would like to be able to sort logon events by account_name and workstation_name fields.

The issue: When searching through the domian controller's event logs and filtering for logon events, the program is failing to define a workstation name. It often can define an account name, but the problem is that we aren't able to correlate which account name is logging into which workstation name.

Question: Why are most of the "4624" logon events ANONYMOUS LOGON's ? Is there a way to extract these desired fields out of the logs with SPLUNK, or is the data just withheld on the the Windows event logs? If so, how do we make so these fields are not hidden on these logs?


Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 1 Comment.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 1 Comment.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros