So I have file share auditing enabled on a file server. The event log collects data every time a share is accessed and the events in the event viewer are easily readable and contain all of the information I need. When those events get pushed to the LEM server, I get pretty useless data from LEM.
From the event log entry I get the following required information:
Account name
Account domain
Source address
Source port
Share name
Share Path
In LEM I get nothing but the event info which just says an object access event occurred, it does not tell me the source address, source port, share name, or the share path. It does give me the account name and domain but those are only displayed within the eventinfo line, they are not listed under SourceAccount, DestinationAccount,DestinationDomain or any other areas so I cannot sort by user in nDepth which is critical.
So basically LEM omits any actual useful data from these events... Is there a way to change how LEM handles these events or am I just screwed?