This email alert which is meant to include the message from the stream doesn’t include the whole message. Below is the message as shown in the stream;
This alert was set up as a notification when accounts get locked out.
However, all I can see in the email is;
source: dc01.intranet.********.co.uk | message: DC01 microsoft-windows-security-auditing[success] 4740 A user account was locked out.Subject:Security ID:S-1-5-18Account Name:DC01$Account Domain:INTRANETLogon ID:0x3e7Account That Was Locked Out:Security ID:S-1-5-2 (…) { level: 6 | gl2_remote_ip: 192.168.2.10 | gl2_remote_port: 58360 | streams: [000000000000000000000001, 590af590b044c8070b274f6e] | gl2_source_node: 0f50d8ca-4f6f-4462-b376-56ecffecbd4d | _id: 8866f580-30cc-11e7-bcf6-00155d01ad2c | gl2_source_input: 590aefeeb044c8070b27497a | facility: security/authorization | timestamp: 2017-05-04T13:20:59.000Z }
I want to be able to see which user was logged out and from which workstation, as it shows in the original message. Is this possible?