Active Directory Audit - Reporting and Alerting for Graylog

dscryber · March 14, 2022, 5:06pm

Active Directory Audit - Reporting and Alerting

This Powershell script can be scheduled to run either daily or as frequently as you like to report on changes in the Active Directory.

Disclaimer: It’s only configured to search for specific event ids, so there may be other critical events that are not captured.

Graylog server
Must be configured to collect logs from all Domain Controllers
Graylog user
User must have access to a stream that contains Domain Controller security events
User’s timezone should be set to your local time
PowerShell (Tested with version 4)
Active Directory Module for Powershell
Domain user to run the script with

DrunkMunki · November 16, 2022, 5:39am

Although this was posted in March, there are some issues with the script which dont work, have raised the in the github page.
Nick-C has done a Pull request updating the code (haven’t tested yet) GitHub - Nick-C/graylog-ad-audit: A Powershell script that can query a Graylog server for changes to specified AD Groups and generate alert emails

this script is very useful and would like to make sure its maintained <3

Topic		Replies	Views
Graylog with o365Beat (Alerting and notifying) Graylog Central (peer support)	4	416	January 29, 2021
Properly setting up an alert Graylog Central (peer support)	1	516	March 1, 2019
Alert based on single field, but with multiple sources? Graylog Central (peer support) sidecar , nxlog , nodatanx	2	649	March 1, 2017
Setting up an alert condition - how to specify "today"? Graylog Central (peer support)	6	431	July 1, 2019
Aggregates Plugin for Graylog Plug-Ins plug-in	0	1865	February 17, 2022