Ask questions. Get answers. Find technical product solutions from passionate experts in the NXLog community.

Change AccountName field
Dear NXlog community, I am using nxlog on a windows 2003 environment and i am having some problems with windows failed authentication events.  All entry's with EventID 675 contain the AccountName "SYSTEM" in stead of the username that the failed authentication is for. I couldnt get it to work with pattern matching in nxlog but as i have never used this before i am probably doing something wrong. I would really like to get some statistics of this and get the user name in the AccountName field. For example kibana is reporting: AccountName        SYSTEM AccountType        User Category        Account Logon CategoryNumber        9 Domain            NT AUTHORITY EventID            675 EventType        AUDIT_FAILURE FileName        Security Hostname        SomeHostName Severity        ERROR SeverityValue        4 SourceModuleName    eventlog SourceModuleType    im_mseventlog SourceName        Security host            SomeHostName.SomeDomain message            Pre-authentication failed:              User Name: [username]              User ID: %{some user id}              Service Name: krbtgt/office Pre-Authentication              Type: 0x0 Failure Code: 0x19              Client Address: [ip address]   Any help is appreciated!

pk21 created
Replies: 1
View post »
last updated