HI ,
i want to correlation two sourcetype,
The first sourcetype is VPN logged event, for examples, userA logged event as follows,
***2015-10-18 18:06:45 1.1.1.1 userA logged in , connected to network....
2015-10-18 19:06:45 1.1.1.1 userA logged out , disconcerted from network.....***
IF userA logged to the specialized windows server by VPN channel during VPN logged, windows log as follows,
***2015-10-18 18:25:45 account=userA eventid=477x. ....***
I want to estimate userA whether or not logged on to the specialized windows server during VPN logged on time range, how to design the correlation search ? TKS.
↧