I have a very simple search/chart to look for failed logons on my domain:
EventCode=4625 Account_Name="*" | timechart count by Account_Name
Problem is, MS in their wisdom has decided to include two entries in the event called "Account_Name", one that is never used (labelled as "-") and the actual one you want.
So, when I do the query (chart), I get a combination of the account names that failed AND a bogus account ("-") that skews all the results with what's basically an overall total.
How can I simply tell it to NOT show the "-" in the results of the search?
Something to the effect of (yes, I know this doesn't work):
EventCode=4625 Account_Name="*" | timechart count by Account_Name | NOT "-"
Thanks,
(please don't tell me to write regex to fix this... 😉
Does this works?
EventCode=4625 Account_Name="*" NOT Account_Name="*-*" | timechart count by Account_Name
Regards
sample of the area I'm talking about:
"
Subject:
Security ID: S-1-5-18
Account Name: SERVERNAME$
Account Domain: PORT
Logon ID: 0x3e7
Logon Type: 10
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: bubba
Account Domain: PORT
"
I just want to know about Bubba's failed logon, not "SERVERNAME$" or "-". This can't be the first time this has been asked...
Those results filter it down alright, but it finds the instances where the "-" is replaced by the name of the server -- that's just as bad as having a boat full of "-" as results -- it doesn't boil it down the account names that failed a logon.
So I guess an extension of my original quest is to return the Account_Names -- without the "-" or the name of the server (why is the servername even listed as an Account Name anyways, Redmond? geez!).