Active Directory Audit - Reporting and Alerting for Graylog

Active Directory Audit - Reporting and Alerting


View on Github
Open Issues


This Powershell script can be scheduled to run either daily or as frequently as you like to report on changes in the Active Directory.

Disclaimer: It’s only configured to search for specific event ids, so there may be other critical events that are not captured.


  • Graylog server
  • Must be configured to collect logs from all Domain Controllers
  • Graylog user
  • User must have access to a stream that contains Domain Controller security events
  • User’s timezone should be set to your local time
  • PowerShell (Tested with version 4)
  • Active Directory Module for Powershell
  • Domain user to run the script with

Although this was posted in March, there are some issues with the script which dont work, have raised the in the github page.
Nick-C has done a Pull request updating the code (haven’t tested yet) GitHub - Nick-C/graylog-ad-audit: A Powershell script that can query a Graylog server for changes to specified AD Groups and generate alert emails

this script is very useful and would like to make sure its maintained <3