I am using ELK 7.12.1 mainly to log AD events at the minute. I have had a device go missing and I want to track down the last time it was logged on. I have been using user.name.text to locate user logons but I don't think the workstation name gets logged.
How can I log the workstation name for when a user logs on?
Are you using Winlogbeat?
I have Winlogbeat running on all my DC's this provide a phenomenal amount of data via the 'Winlogbeat Security - User Management Events'
I am just missing the workstation ID. This may not get collected via AD logs hence not showing up in ELK but it would be really helpful to get this in.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.