Audit AD in graylog

Hi !
I use version 4 of graylog to centralize all my authentication logs of my Active Directory. So I receive logs of login authentications, closing … But in my logs, I don’t see the name of the authenticated machine. Is this normal? Does anyone have an idea to solve this problem please!

Hey @Kamsy

Are you refering to in the message field you dont see the authenticated machine?
or the ADDC server? to help you further we would need more information pertain to this setup and configuration.

Hi Gsmith,
In the message field, i don’t see the authenticated machine.

Config winlogbeat in graylog:
# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

   hosts: ["Graylog Server:5044"]
  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
  logs: C:\Program Files\Graylog\sidecar\logs
 - windows
   - name: Microsoft-Windows-Sysmon/Operational
   - name: Application
   - name: System
   - name: Security
     event_id: 4624, 4625, 4634

For sidecar, i use the default config sidecar.
I just replaced the ip address of my graylog server and an API token for graylog-sidecar user.

Hi gsmith,
I try this config of nxlog:

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension gelf>
    Module xm_gelf
<Input in>
    # For windows vista/2008 and above use:
    Module      im_msvistalog

    # For windows 2003 and earlier use the following:
    #   Module      im_mseventlog

<Output out> 
    Module      om_udp
    Port        5414
    OutputType  GELF

<Route 1>
    Path        in => out

 But i don't always to see the authenticated machine

This is my message field.


L’ouverture de session d’un compte s’est correctement déroulée.

you can double check you settings on the AD server, I know both of mine do not have those field/s called Workstation, that is reserved for actual workstation not Active directory or DNS servers.

You can try these steps see if that will work for ya

Log in to the Windows Server with administrative privileges.
Go to Start → Administrative tools → Group policy management console.
Navigate to the concerned domain/OU that contains the objects you want to audit.
Right-click on the concerned GPO, and select Edit. The Group Policy Management Editor will open up.
Go to Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Audit Policies.
Select Audit object access and Audit directory service access. Select both the Success and Failure options to audit all accesses to every Active Directory object.

Should see something like this

I have done this modification in my Windows Server, but i don’t see the authenticated machine.
Thanks gsmith for your help !