Ask questions. Get answers. Find technical product solutions from passionate experts in the NXLog community.
Change AccountName field
pk21 created
Dear NXlog community,
I am using nxlog on a windows 2003 environment and i am having some problems with windows failed authentication events. All entry's with EventID 675 contain the AccountName "SYSTEM" in stead of the username that the failed authentication is for. I couldnt get it to work with pattern matching in nxlog but as i have never used this before i am probably doing something wrong. I would really like to get some statistics of this and get the user name in the AccountName field.
For example kibana is reporting:
AccountName SYSTEM
AccountType User
Category Account Logon
CategoryNumber 9
Domain NT AUTHORITY
EventID 675
EventType AUDIT_FAILURE
FileName Security
Hostname SomeHostName
Severity ERROR
SeverityValue 4
SourceModuleName eventlog
SourceModuleType im_mseventlog
SourceName Security
host SomeHostName.SomeDomain
message Pre-authentication failed:
User Name: [username]
User ID: %{some user id}
Service Name: krbtgt/office Pre-Authentication
Type: 0x0 Failure Code: 0x19
Client Address: [ip address]
Any help is appreciated!
pk21 created