Hi,
I am shipping logs from my DC to Logstash and then to Elasticsearch. I am trying to visualize domain user logins to all domain joined servers.
But It is not showing me the name of server on which user logs in. It always shows DC server because that is where authentication is being done. But I am interested to see which user logs on to which server.
Has anyone done anything similar before?
Regards,
Ayesha
We are using a winlogbeat (6.8.1) to get failed login attempts from our DCs and in this event type there is a field event_data.IpAddress which is the ip of the host from which the login originates.
But i can't gurantee that the same field exists in the normal login event.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.