Active Directory Logon / Logoff events

Hi All

Currently we are setting up Graylog to monitor Active Directory account logins / logouts and lockouts

I have searched all through the forums and couldn’t find an answer so I apologise if this has already been answered elsewhere

So far the failed logins are triggering an alert which is working however its only displaying the AD user name and not the AD domain name. This is based off windows event id 4771

I tried to set it up to group by field TargetUserName and TargetDomainName but this stopped the alert from working. If i have only TargetUserName it works but then no AD domain on the alert which is needed

Any help is greatly appreciated

We are loving the graylog platform

If you look at one of the Event ID 4771 messages, can you see the domain name in one of the fields?

Hello thank you for the reply
If I look at the 4771 message directly there isnt domain name in the fields

Closest thing is source field which lists the domain controller

This would probably be sufficient if there is no other option

How would I go about getting this information into the alert? would I just group by source as an additional option?

Many Thanks

You could create a pipeline rule which adds a domain field to the message or you could just include the source of the message which as you said, would be the domain controller.