Hello,
I am running into an issue where I want to report on the number of logins by server and user. The issue I have is that it appears in the windows 2003 server security event log the user is defined by the username field. However, in Windows 2008 server it is Account Name.
So if I did something like:
source="WinEventLog:Security" EventCode="4624" OR EventCode="528" daysago="7" | stats count by host, User_Name | sort host
only Windows 2003 is showing up due to User_Name. I have to have:
source="WinEventLog:Security" EventCode="4624" OR EventCode="528" daysago="7" | stats count by host, Account_Name | sort host
for Win 2008. I would like all this on one report. I tried something like:
source="WinEventLog:Security" EventCode="4624" OR EventCode="528" daysago="7" | stats count by host, (User_Name OR Account_Name) | sort host
which did not work. So I am figuring I need to write a transforms. All I want to do is extract the Account_Name and assign it to a field called User_Name.
I have written more complex transforms but for some reason can't get my mind around this simple one in transforms.conf.
Thanks.
Kevin
