Duplicate Windows User Names when filtering


I'm new here and I am trying to set up a Windows centralised log for the first time with ELK. So far, everything is working out for me.

I want to make a visualisation in Kibana to view succesful account logons on the Windows domain. It's working fine, but i'm seeing duplicate account names when I split rows on event_data.TargetUserName. These usernames are the same, but the spelling is different.

Example: I want to see in the table how many times a user has succesfully loged on, how many different computers and how many unique IP Addresses the user has 'used'. This is one of the data tables given as a template with Winlogbeat.

But I get multiple rows for the same usernames, with different spelling. Eg I see a row with user "Bob", but also a row for user "bob", which is the same account. The person just spelled his username with lower case characters on the logon screen.

Any idea on how to filter these duplicates out? Or do I need to change this (I don't know how) on the Windows side? Maybe there is a way to always force a user to log in with lower/upper case characters only?

Thanks in advance,

You can lowercase your data using ingest node feature with a lowercase processor.

Or use the new Normalizer feature in your mapping on your .keyword fields.

Active Directory saves all attributes case rare. For example Bob. You can search for bob or BOB and always get Bob as the result. So on windows side there is no chance to change this behavior. What you can do is to send these events to logstash and then lowercase or uppercase this field. See here

@dadoonet, doesn't recognize your answer :see_no_evil:

Seems like even though Windows records both Bob and bob, they are both the same user. So this would be a good candidate for the normalizer. We could update index template for this field.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.