We have configured AD logon activity, but it doesn't seem to be that accurate, at least at our system. It is not showing all logon activity coming from computers. I know some auditing solution have the option to configure auditing directly on the computers, and one can know whether who logins locally, remotely, or even you unlock the computer. This opsion I cannot find in the Netwrix.
How Netwrix collects this information, only from DC, or includes computers, as well. Is there any more detailed documentation on this?
That depends. AD logon activity collects information from DC. But you are welcome to add windows computers as monitored systems to add logon activity from local logs.
These canned filters do not include the
4801: The workstation was unlocked a new filter https://www.ultimate...px?eventid=4801
will be needed for these and are not part of the ELM logon reports the All Events by User will need to be used.
To add another filter there is an example in the KB1568 How to configure real-time alert for specific events? https://www.netwrix.com/kb/1568
**Just follow these under the inclusive filter part***
Thank you for the answer, it was very helpful to me. However, when I open links, images don't open. Is there a problem with that, or how can open those. Tried from different computers, with different browsers.