Active Directory Audit - Reporting and Alerting for Graylog

dscryber · March 14, 2022, 5:06pm

Active Directory Audit - Reporting and Alerting

This Powershell script can be scheduled to run either daily or as frequently as you like to report on changes in the Active Directory.

Disclaimer: It’s only configured to search for specific event ids, so there may be other critical events that are not captured.

Graylog server
Must be configured to collect logs from all Domain Controllers
Graylog user
User must have access to a stream that contains Domain Controller security events
User’s timezone should be set to your local time
PowerShell (Tested with version 4)
Active Directory Module for Powershell
Domain user to run the script with

DrunkMunki · November 16, 2022, 5:39am

Although this was posted in March, there are some issues with the script which dont work, have raised the in the github page.
Nick-C has done a Pull request updating the code (haven’t tested yet) GitHub - Nick-C/graylog-ad-audit: A Powershell script that can query a Graylog server for changes to specified AD Groups and generate alert emails

this script is very useful and would like to make sure its maintained <3

Topic		Replies	Views
Active Directory Auditing Graylog Central (peer support)	3	1342	March 15, 2023
Active Directory Auditing (NXLOG) - Graylog 2.x Content Pack content-pack	0	3137	March 7, 2022
Active Directory Auditing (WinLogBeats) - Graylog 3.0.2+ Content Pack content-pack	1	7165	August 25, 2022
Active Directory Logon / Logoff events Graylog Central (peer support) pipeline-rules	4	2100	August 16, 2020
Active directory Logs Graylog Central (peer support)	2	364	November 14, 2023