We are not getting any logs for group membership changes. We are using the AD content pack and we don’t have any matching event id’s in our windows logs EventID:631 OR EventID:635 OR EventID:658 OR EventID:4727 OR EventID:4731 (Group Creation). None of the other group logs are coming through either. I have made sure the audit policy changes are applied. Any ideas?
how did you collect the logs? How is the collector configured?
Just to ask the silly questions first:
- I assume you’re collecting the logs on all AD controllers, right?
- How are you collecting these logs? (like Jan asked)
- Are other logs from all AD controllers coming in?
First up, make sure that all AD DCs are logging into Graylog properly.