I am using ELK 7.12.1 mainly to log AD events at the minute. I have had a device go missing and I want to track down the last time it was logged on. I have been using user.name.text to locate user logons but I don't think the workstation name gets logged.
How can I log the workstation name for when a user logs on?
Are you using Winlogbeat?
I have Winlogbeat running on all my DC's this provide a phenomenal amount of data via the 'Winlogbeat Security - User Management Events'
I am just missing the workstation ID. This may not get collected via AD logs hence not showing up in ELK but it would be really helpful to get this in.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.