Hi,
The next would be the goal: I would like to show on the dashboard which user (different) is logged on and on which computer and with which IP address. It is a conjecture that with the same credentials frequently logged on from more than one machine. I would like show a table on the dashboard with three coloumn: “Account Name” – “Workstation name” - “source network address”
These can be retrieved from Windows event ID 4624.
An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Impersonation Level: Impersonation
New Logon:
Security ID: DOMAINNAME\username
Account Name: username
Account Domain: DOMAINNAME
Logon ID: 0x42F0049C7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Network Information:
Workstation Name: USER-PC
Source Network Address: 78.131.87.23
Source Port: 53680
That I accomplished until now.
1., Graylog succefully received the Windows events with winlogbeat. I can search above event ID and I can see these events.
2., I created three extractors for the above field.
3., I saw in the search tab these extractors, and I can select these individually and I can add to the dashboard when I selected the “quick value”.
But I would like tie these three coloumn in one table to show username, machine name and IP address.
How can I do this?
Thank you
Viktor