Hey,
we are using three windows domain controllers in our company. We would like to spot some information like user lockouts (event id 4740) etc.
The problem is, that sometimes one event is triggered on two domain-controllers. E.g:
- Event A on DC1 at 07:10:41.358
- Event B on DC3 at 07:10:41.349 (which is the same event as the previous one, but on another DC)
In that case I am aggregating the events with a date-histogram, which works fine because both events happened "in the same second". But if the timestamps differ, e.g. 07:10:40.980 and 07:10:41.358, they will not be aggregated.
Also, on a data-table visualization, the date historgram causes the table to show only the time-ranges (and is automatically scaled to 10minutes), which isn't that intuitive for end-users.
Does anyone know an answer how to solve this problem?