You might have the timeout set too low. Default is 45 mins. I have mine set to 24 hours. Some suggest 8 is OK but it depends on domain activity.
@MickBall We have it for 15 hours and even if it was 45mins that would not explain why within matter of minutes there is username associated for some traffic while not for other.
Yes i can now see that in your original post. How many servers are you monitoring. Could it be that one of them is not reading the security logs correctly and overwriting the correct information.
If you are using exchange, I would suggest checking against it. The reason is that when Outlook is open it is authenticating very frequently.
@MickBall and @OtakarKlier Thanks for suggestions. But how would i check/determine if some server is not reading security logs correctly. We are using 3 of them. Also there is no exchange server, its O365 that we have.
I did install agent on 1 of them and it seems better, but i will monitor and update
To test this i would remove 2 servers from user id and see what happens, then add a second, monitor, then add the third.... it should not cause any issues as you seem not to be using id’s for policies.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!