I am working on deploying Ossec to monitor my failed login attempts from workstations now that I have deployed a password policy. Everything for Ossec so far is working for what I need out of the box with no customization's. What I have noticed now though is that all the other event id's related to login have the username where it shows (no user) in the following:
2014 Oct 31 12:18:56 WinEvtLog: Security: AUDIT_FAILURE(4625): Microsoft-Windows-Security-Auditing: (no user):
4625 is the only one I've noticed so far that doesn't show the username. Does anyone know why? If I can fix that it would make this a lot easier. Thanks!