<13>Jun 23 12:03:29 MyServerName AgentDevice=WindowsLog AgentLogFile=Security PluginVersion=126.96.36.199 Source=Security Computer=Server OriginatingComputer=x.x.x.1 User=SYSTEM Domain=NT AUTHORITY EventID=540 EventIDCode=540 EventType=8 EventCategory=2 RecordNumber=27741234 TimeGenerated=1656000205 TimeWritten=1656000205 Level=0 Keywords=0 Task=0 Opcode=0 Message=Successful Network Logon: User Name: SERVERFLOW2$ Domain:…
Note: By default the Microsoft Windows Security DSM extracts the username information from the "Message" field and not from the "User" metadate field, which usually says SYSTEM when the user is a system account.
The Microsoft Windows Security DSM by design ignores the username values because they represent system accounts, and many admins prefer this behavior as they see the system accounts as noise.
For more information, see the Windows System Events or Username$ Events Display N/A in the Username field article.
Resolving The Problem
How to create a custom field
- Go to the DSM Editor.
- Select the Microsoft Windows Security Event Log DSM.
- Confirm you are in the Properties tab, then click the blue button with a white plus sign on it:
- Scroll down and click Create New:
- Give it the name you want, for this example the field name is Windows User, confirm the Field Type is Text, then click Save, then Select.
How to extract only the SYSTEM user
How to extract both users
Was this topic helpful?
12 July 2022