I want to collect log from user AD. I have used eventcode 4720 and eventcode 4624. i wonder how to combine these two events together and get table like this: host, RecordNumber, user_id, signature, status, admin_id, src_ip, logonby, logon_time, Create_time, Logon_ID
Hi SoknySplunk,
if you're already receiving logs from AD, try something like this
index=wineventlog sourcetype=WinEventLog:Security (EventCode=4720 OR EventCode=4624)
| table _time host RecordNumber user_id signature status admin_id src_ip logonby logon_time Create_time Logon_ID
verify if the field names are correct related to your logs.
Bye.
Giuseppe