We have configured AD logon activity, but it doesn't seem to be that accurate, at least at our system. It is not showing all logon activity coming from computers. I know some auditing solution have the option to configure auditing directly on the computers, and one can know whether who logins locally, remotely, or even you unlock the computer. This opsion I cannot find in the Netwrix.
How Netwrix collects this information, only from DC, or includes computers, as well. Is there any more detailed documentation on this?
These canned filters do not include the
4801: The workstation was unlocked a new filter https://www.ultimate...px?eventid=4801
will be needed for these and are not part of the ELM logon reports the All Events by User will need to be used.
To add another filter there is an example in the KB1568 How to configure real-time alert for specific events? https://www.netwrix.com/kb/1568
**Just follow these under the inclusive filter part***