Hi,
I'm doing searches for account login failures using EventCode="4625".
The problem is the search returns a lot of results of user "$" trying to log onto itself or other hosts. I believe these logon event types are something to do with Remote Desktop Services or mapping drives from one host to another etc, but i'm trying to filter them out of my search.
So far my search looks like:
index=wineventlog sourcetype=WinEventLog:Security host=xxxx* | where EventCode="4625"
| where user!="*$" | stats count by user, ComputerName, Eventcode,
| sort user, - count
| rename Eventcode as "Windows Event ID", count as "Number of Events", user as "Active Directory Account"
I'm trying to use where user!"*$" (i.e where user doesnt equal anything ending with a $) to filter it out but it's not working.
I've also tried where user!="xxxx*" and where user!="xxxx*$" and that hasn't worked either.
Any ideas? Thanks in advance!
↧