Active Directory Auditing (NXLOG) - Graylog 2.x
Content Pack
Published
23 Sep 14:25
Last Push
11 May 09:38
Marketplace Rating
Discussion
33 Comments
Your Rating
Please sign in to rate this add-on.
Comments
Has anyone had any luck getting this to work with Graylog 3?
more people need to use graylog
works fine thank you
lol
I managed to get this working by opening port(s) on the Graylog firewall. The only thing I'm having trouble with now is getting DNS results to show up for this content pack. If anyone could point me in the right direction, I'd appreciate it. Thanks.
If someone could please help, I would be so grateful.
The content pack installed correctly.
When I configured the nxlog file on my DC to point to the graylog server and added _UDP after the GELF in the output section.
I enabled all of the Group policy Objects indicated in the readme (** Audit Account Logon Events ** Audit Account Management ** Audit Logon Events ** Audit Object Access ** Audit Policy Change ** Audit System Events).
I have another GELF_TCP input working, collecting windows server event logs working fine for port 12201 with nxlog, so I’ve done this correctly, at least once before :)
I’m including my nxlog file below. If someone can please tell me what I’m missing, It would be greatly appreciated. I’ve been at this all day. Thank you in advance.
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
Module xm_gelf
# For windows vista/2008 and above use:
Module im_msvistalog
Path in => out
Still works fine on GrayLog 2.4.6
How to Install this dashboard?
under "Output out" section. Sorry my words got cut off.
michmich9337: if you copied and used the nxlog.conf file listed with no modifications, you need to specify the name of your graylog server instance or IP instead of "graylog.server.com" for "Host" under "
Hi !
Does it need a query to be functionnal ?
Because i simply copy/paste nxlog.conf and no data is send :/
Thanks !
Hi Guys!!! I´m finding how install this Content Pack. Can, someone explain me how to install in my graylog ? Thanks!!!
This is working great on Graylog 2.2.3. But I just don't have data for the DNS related dashboards and I think its due to my nxlog filter not sending associated eventID's.
Just installed this on Graylog 2.2.3 and it appears to be working at first glance. Will report back on usage. Thank you!
Does this work with Graylog 2.2.3?
Hopefully this will help somebody out, this is our configuration that we use for our domain controllers:
##
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
Module xm_gelf
Module im_msvistalog
Exec if not ($Severity == 'ERROR' or $Severity == 'CRITICAL' or $EventID IN (624, 630, 631, 634, 635, 638, 658, 662, 4624, 4625, 4720, 4726, 4727, 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4735, 4737, 4740, 4741, 4742, 4743, 4754, 4755, 4756, 4757, 4758, 4764, 4767)) drop();
Exec if ($EventID == 4769) drop();
Path in => out
Never mind. I forgot to allow leading wildcard searches in the server.conf
I'm receiving malformed search queries for the dns dashboard. It doesn't like "SubjectUserName:*$"
Any ideas?
The given query was malformed at the following position:
EventID:5137 AND ObjectClass:dnsNode AND created AND NOT (SubjectUserName:*$ OR SubjectUserName:SYSTEM OR SubjectUserName:\-)
Error Message:
Cannot parse 'EventID:5137 AND ObjectClass:dnsNode AND created AND NOT (SubjectUserName:*$ OR SubjectUserName:SYSTEM OR SubjectUserName:\-)': '*' or '?' not allowed as first character in WildcardQuery
Exception:
org.apache.lucene.queryparser.classic.ParseException
This is working perfectly and auditing logon events for our domain controllers themselves. It is not capturing any data from workstations or other servers on the domain, however. Is this the correct behavior by default? If so, how can this be expanded to all domain-joined workstations and servers? Thanks.
@Nacy1: Yes. Did you enable the correct security policies on the DC(s)?
"Domain Controller security policy with the following enabled: ** Audit Account Logon Events ** Audit Account Managmenet ** Audit Logon Events ** Audit Object Access ** Audit Policy Change ** Audit System Events"
Does this work for Windows 12 R2 as I have installed and nothing is happening. dashboard is empty. Are there any extra steps to populate the dashboard.
Worked very well thank you :)
Might be interesting to make this fully PCI compliant!
Hello, after downloading the .json file, I'm trying to upload to my graylog server (v1.2) and after importing successfully I dont see nothing happens.
No dashboards, no inputs, no streams.
Any idea about this ?
Thank you.
@reighnman
Thanks, Logged.
As for Graylog including all Extractors for all content packs, I think it also does the same for Inputs, GROK patterns.
Perhaps it's best to separate those into a content pack of their own, and update the docs, to include the dependent pack only once (just a thought).
Thanks
@ltb76 , I use the same input for AD and DNS auditing which I've created separate content packs for. Unfortunately graylog includes all extractors for the given input so I need to remember to manually remove them if they don't apply.
@123dev, please open an issue on github project page. Are you using pre-2008 domain controllers?
Looks like a great content pack,
I wonder where the facility information is supposed to come from?
nxlog is forwarding all the events to graylog, and I can see them in graylog, yet the dashboards don't display anything.
Digging further I noticed that all the queries are checking for the facility filed.
"AND facility:Microsoft\\-Windows\\-Security\\-Auditing"
Our logs does nxlog config file needs to be customized to add that field?
Or is this dependent the Domain controller version to include it in the events?
Anyways I tried to edit the dashboard query to remove the "AND facility:Microsoft\\-Windows\\-Security\\-Auditing"
but on dashboard update I got the following error message.
"Could not update widget
Updating widget "Group Deleted" failed with status: Gateway Timeout"
Not sure if this a graylog bug or something wrong with the widget
I have no problems updating widgets that we have created.
Next I removed all the dashboards added by this content pack and deleted the content pack
edited the json file and updated all the queries to remove
"AND facility:Microsoft\\-Windows\\-Security\\-Auditing"
Saved and imported back.
Dashboards still don't show any data, however clicking the play button on any widget in the dashboard opens up graylog query that shows data, so that tells me that the updated query is correct.
Why is the dashboard not showing any data? all values are "N/A"
Thanks
nice work :)
It contains the dashboard for DNS, but it looks like the GROK patterns for DNS logs are missing though.
Very great! Thanks a lot!
Please sign in to comment.
I was able to import the content-pack but do not have a new stream or dashboard. I do see the various different variables from the windows logon content but how do i get the pretty dashboard from the screenshots? Does it have to be made manually?