1. The WSA access logs contains the username in almost all cases, because the user attempts to access the URL after logging to to system. When integrated with AD and ntlm or kerberos being used, all access requests will reach WSA with username.
2. In rare occurrences when the client machine attempts to reach out to internet before the user could login, only then will the request have machine name.
3. WSA will attempt to authenticate whatever came to it first (user or machine).
So the probability of seeing machine name in the access logs is rare.
Regards, Ashish Varghese *** Rate All Helpful Responses ***
For investigating a user's activity over the past month with the user ID, you can got to Reporting --> Users. Put in the user ID under the section "Users" , Click on "Find User ID or client IP" . Click on the userID and this should give you the URL categories that the user transaction matched and the Domains matched. Remember to Select the Time range as "30 days" on the top left.