Monitor Windows Logons win Winlogbeat


I am shipping logs from my DC to Logstash and then to Elasticsearch. I am trying to visualize domain user logins to all domain joined servers.
But It is not showing me the name of server on which user logs in. It always shows DC server because that is where authentication is being done. But I am interested to see which user logs on to which server.
Has anyone done anything similar before?

We are using a winlogbeat (6.8.1) to get failed login attempts from our DCs and in this event type there is a field event_data.IpAddress which is the ip of the host from which the login originates.
But i can't gurantee that the same field exists in the normal login event.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.