We are not getting any logs for group membership changes. We are using the AD content pack and we don’t have any matching event id’s in our windows logs EventID:631 OR EventID:635 OR EventID:658 OR EventID:4727 OR EventID:4731 (Group Creation). None of the other group logs are coming through either. I have made sure the audit policy changes are applied. Any ideas?
how did you collect the logs? How is the collector configured?
Just to ask the silly questions first:
- I assume you’re collecting the logs on all AD controllers, right?
- How are you collecting these logs? (like Jan asked)
- Are other logs from all AD controllers coming in?
First up, make sure that all AD DCs are logging into Graylog properly.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.