This is a screenshot from an Application log which shows me two different usernames.
Marked with orange and number 1 have the same username. Marked with blue is a different username. Why is destination user name different from the User field?
Because user b logged in to the database server (on the windows system) and the IP of the server was associated with this user.
A session from user a only shows this information as this information was not deleted (has not timed out).
Destination Username is the one associated to destination IP.
Associated in which way? Can you explain more please.
By identity awareness depending on your configuration. I assume ADquery or IDC.
I understand that. But if user a access a MS-SQL database, why is a different user b shown on destination username?
Thanks for explaining. Since this was a correlated log showing user a accessing a database I don't see the point in this log of having the information about user b that is associated with that server. Do you?
I wouldn't need this information, but better have an information I don't need, than omitting it :-)
Btw. if you don't need identity awareness on your servers (as source), you could exclude the server networks generally from IDC or ADquery.
Retrieving data ...