locked
Change syslog suser field to UPN or SAMAccountName rather than display name RRS feed

  • Question

  • The syslog output seems to use display name rather than a real login name.   This makes correlation with other logs hard in the receiving SIEM.

    Can this be configured in an alert template?

    Friday, October 12, 2018 12:54 PM

All replies

  • The template can't be modified by customers, it's hard coded.

    Its true that for *some* of the alerts suser uses display name instead of  the alias ( I think LDAP BF is one example), but most will use the alias.

    we got this feedback before and there is a change request pending triage for making all alerts use alias.

    Can't tell you exact status, or if this DCR would be accepted and when...

    Friday, October 12, 2018 8:44 PM