Hi all,
I think there is a misunderstanding. According to your *full_log*, I can
see 2 "Account name" fields, the first one is *SubjectUserName*, and the
second one is *TargetUserName*. We are only extracting the *SubjectUserName*
as *Account name*. So, if you paste here your log, I can
Hi AntonH,
I can see your full_log on Kibana screenshots, it seems like even OSSEC is
not getting that field on the raw_log, meaning we are not extracting it
from the EventChannel.
Currently OSSEC is not extracting all the fields detail on the XML, related
code:
Hi AntonH,
you don't see *TargetUserName *in Kibana, because OSSEC decoders are not
extracting that field. We will need to improve them.
Could you paste the raw log (*full_log*) here?. Once we update the decoders
and you install them, the new events will come with the *TargetUserName *
On Fri, May 12, 2017 at 4:40 AM, AntonH wrote:
> Hello,
>
> I'm using Wazuh and I don't know how to map TargetUserName to an indexed
> field.
> Security events are generated but the associated username is not mapped so
> there is no way to search for or display the
Hello,
I'm using Wazuh and I don't know how to map *TargetUserName* to an indexed
field.
Security events are generated but the associated username is not mapped so
there is no way to search for or display the culprit.
The field marked yellow is not mapped or indexed.