Active Directory Audit - Not Collecting Data


#1

Greetings,

I’m trying to configure the Active Directory Auditing (NXLOG) content pack from the Graylog Marketplace (https://marketplace.graylog.org/addons/750b88ea-67f7-47b1-9a6c-cbbc828d9e25) and I can’t get any results in the search pane.

  • The content pack installed correctly.
  • When I configured the nxlog file on my DC to point to the graylog server and added _UDP after the GELF in the output section.
  • I enabled all of the Group policy Objects indicated in the readme (** Audit Account Logon Events ** Audit Account Management ** Audit Logon Events ** Audit Object Access ** Audit Policy Change ** Audit System Events).
  • I have another GELF_TCP input working, collecting windows server event logs working fine for port 12201 with nxlog, so I’ve done this correctly, at least once before :slight_smile:

I’m including my nxlog file below. If someone can please tell me what I’m missing, It would be greatly appreciated. I’ve been at this all day. Thank you in advance.

nxlog.conf:

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension gelf>
    Module xm_gelf
</Extension>
<Input in>
    # For windows vista/2008 and above use:
    Module      im_msvistalog

</Input>

<Output out> 
    Module      om_udp
    Host        10.1.1.111
    Port        5414
    OutputType  GELF_UDP
</Output>

<Route 1>
    Path        in => out
</Route>

(Blake) #2

Hi Fodmidoid,

I haven’t used the content pack before, but have a windows DC successfully sending specific security event IDs manually. If it helps I’ve included it below - noticed a few small differences.

A few things to also try:

  • confirm a few events are showing first in Event viewer (ensure the GPO is working)?
  • confirm the nxlog service is running on the server, maybe restart it (check nxlog.log for errors)
  • unlikely but check firewall rules on the windows server?
  • noticed the content pack also required “Leading Wildcard Searches enabled in graylog.conf: allow_leading_wildcard_searches = true” not sure if you’ve changed that?
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _syslog>
    Module xm_gelf
</Extension>

<Input in>
    Module      im_msvistalog
    Query <QueryList>\
    	<Query Id="0">\
			<Select Path="Security">*[System[(EventID=4720)]]</Select>\
			<Select Path="Security">*[System[(EventID=4722)]]</Select>\
			<Select Path="Security">*[System[(EventID=4725)]]</Select>\
			snip ......
		</Query>\
    </QueryList>
</Input>

<Output out>
    Module      om_udp
    Host        10.1.1.111
    Port        12201
    OutputType	GELF
</Output>

<Route 1>
    Path        in => out
</Route>

#3

Hi Blake,

Thank you very much for the reply. As soon as I came in this mornong, I began checking the things you pointed out. Here are the results:

  • I went to the Event Viewer and, Under Windows Logs -> Security, saw many entries that said Audit Success. I clicked on one and it shows EventID: 4624 (screenshot attached).
  • I confirmed the nxlog service is running and restarted it again.
  • No windows firewalls are running on the server. itself.
  • I changed the value of Leading Wildcard Searches enabled from False to True, but I did this in /etc/graylog/server/server.conf, not in graylog.conf. Is that my problem? If so, can you please direct me to the file path for graylog.conf? I found a graylog.conf file located at: /opt/graylog/conf/graylog.conf but it was an empty file. If that’s not the case, do you have any other ideas?

Should I be creating a separate Logon/Logoff Policy specifically for this, or should I be editing the existing Default Domain Controllers Policy? (I created a specific policy and linked it at the domain level).

Should I have installed sidecar as well? I don’t know if that helps anything here, but thought I’d ask.

Thanks again for your assistance. I’d really like to get this up and running today.


#4

I also want to mention that this is configured on a Windows Server 2008 R2 Primary Domain Controller. I’ve read on the web that if you’re configuring auditing on a 2008 R2, you should be doing it in the Advanced Audit Policy Configuration, instead of the legacy Local Policies area of the Security Settings (screenshot attached and both areas outlined in red). I configured mine in the legacy Local Policies section as that was the only place that clearly marked each of the policies indicated in the Content Pack requirements. If I should be using the Advanced section, can someone tell me what exactly I should be doing?


#5

I managed to get this working by opening the associated port (UDP 5414) on the Graylog firewall.

Thanks, once again, to Blake for providing a list of things to try which, ultimately, led to me getting this figured out.


(Blake) #6

Sorry for the late reply, have been on leave.
Your most welcome. Nice work on getting it working!


(system) #7

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.