@panwreaper - Correct, it is set to NetBIOS. I have set the domain to 'domain' not 'domain.local'
The userid agent is supposed to simply pick up logs
Is it possible that it is either reading 2 different sources, or the eventlog is getting populated by 2 processes that write the username differently?
One workaround would be to set up thebignire_user_list.txt and exclude either domain\* or *@domain, but it would be better if you figure out why the userid agent is seeing both and suppress one source
I think there is something to what you are saying, however I will look into it tomorrow with a colleague. I have deployed User-ID in other environments before and not had this issue, there is something peculiar with this AD setup I am thinking.
The ignore text file which you meantion here, I have not seen a guide mention it, apologies if I have missed this though. Is this a file that should exist on the User-ID agent servers?
The file doesn't exist, you need to create it
This is a bit of tribal knowledge
Hey mate, looks like this has really started to filter out the @domain SAM log entries. I will let this run over night and for some of the day tomorrow then begin testing some rules to see how it goes now with this filter and then let you know if this has solved it.
Really appreciate the help!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!