Filtering out Windows Event IDs #12169
Replies: 2 comments
-
|
Ok, under "messages" are the details, but how to filter for "username" within "messages"?
|
Beta Was this translation helpful? Give feedback.
0 replies
-
|
I finally found the "user.name" Sorry for bothering. It's close to weekend ;-) |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Hi,
our DCs Eventlogs, including "Security", are shipped to SO. I want to filter for a specific username that is triggering e.g. Windows EventID 4771. In Kibana I can use this:
host.hostname: "company-dc01" and winlog.channel: "Security" and event.code:"4771"to get all security events from a specific Domain controller (company-dc01). But how to I proceed further? .I don't see the username in the details tab.
Would appriciate any help. Thanks.
Beta Was this translation helpful? Give feedback.
All reactions