Dear NXlog community,

I am using nxlog on a windows 2003 environment and i am having some problems with windows failed authentication events.  All entry's with EventID 675 contain the AccountName "SYSTEM" in stead of the username that the failed authentication is for. I couldnt get it to work with pattern matching in nxlog but as i have never used this before i am probably doing something wrong. I would really like to get some statistics of this and get the user name in the AccountName field.

For example kibana is reporting:

AccountName        SYSTEM
AccountType        User
Category        Account Logon
CategoryNumber        9
Domain            NT AUTHORITY
EventID            675
EventType        AUDIT_FAILURE
FileName        Security
Hostname        SomeHostName
Severity        ERROR
SeverityValue        4
SourceModuleName    eventlog
SourceModuleType    im_mseventlog
SourceName        Security
host            SomeHostName.SomeDomain
message            Pre-authentication failed:
             User Name: [username]
             User ID: %{some user id}
             Service Name: krbtgt/office Pre-Authentication
             Type: 0x0 Failure Code: 0x19
             Client Address: [ip address]

Any help is appreciated!