We have a batch search that looks for password changes on Windows boxes that happened "yesterday" and sorts the results by what system the change took place on.
"Change Password Attempt" OR "attempt was made to change" | rex "Caller User Name:\s(?<Caller_User_Name>\S+).*" | rex "Target Account Name:\s(?<Target_Account_Name>\S+).*" | sort host
The results are mailed out in a spreadsheet to be reviewed.
If a user has more than 1 password change on a system I would like to be able to have the results show a summary indicating that the user had x password changes rather than multiple lines each listing 1 occurrence of a change. I still want the results to be separated by host, so if a user changed their password on more than one system, they will show up under each system as having changed their password x times on that system.
Thanks,
Bill
... View more