Thanks for the reply.
I figured that was the mechanism and the problem area. Does UDT first try to tie the learned IP address from the event log to a MAC learned from the switch arp/mac table polling or does it use DNS as well?
Either way I think for dynamic environments UDT information isn't very accurate unfortunately. The reason we got it was to try and map what users had what ips at what times and their locations but with the erroneous mappings it doesn't allow me to say for sure what those answers may be.