Avatar of rgraber6
 asked on

Logon Event Monitoring: Workstation_Name Field Blank?

Currently monitoring forwarded event logs from a domain controller (Running Windows 2008 R2). Trying to use an IT monitoring application called SPLUNK (www.splunk.com) to do so. Specifically focused on monitoring logon events.Would like to be able to sort logon events by account_name and workstation_name fields.

The issue: When searching through the domian controller's event logs and filtering for logon events, the program is failing to define a workstation name. It often can define an account name, but the problem is that we aren't able to correlate which account name is logging into which workstation name.

Question: Why are most of the "4624" logon events ANONYMOUS LOGON's ? Is there a way to extract these desired fields out of the logs with SPLUNK, or is the data just withheld on the the Windows event logs? If so, how do we make so these fields are not hidden on these logs?

Network AnalysisMicrosoft Legacy OSIT Administration

Avatar of undefined
Last Comment

8/22/2022 - Mon

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck