Active Directory Auditing (NXLOG)

Content Pack

reighnman

free!

Download from Github View on Github 1 27

Published

23 Sep 14:25

Last Push

11 May 09:38

Marketplace Rating

Discussion

33 Comments

Readme from Github

Active Directory Auditing Content Pack

Tested with nxLog/Windows 2008R2 Domain Controllers/Graylog 1.2

This content pack provides several useful dashboards for auditing Active Directory events:

DNS Object Summary - DNS Creations, Deletions
Group Object Summary - Group Creations, Modifications, Deletions, Membership Changes
User Object Summary - Account Creations, Deletions, Modifications, Lockouts, Unlocks
Computer Object Summary - (in progress)
Logon Summary - Failed Authentication Attempts, Interactive Logins

Includes

Input (GELF udp 5414)
Failed Logon Stream (unconfigured)
Dashboards

Requirements

NXLog collecting windows logs, other log collectors will work but may require modifying the searches to match the different fields outputted by other collectors
Domain Controller secuirty policy with the following enabled: ** Audit Account Logon Events ** Audit Account Managmenet ** Audit Logon Events ** Audit Object Access ** Audit Policy Change ** Audit System Events
Leading Wildcard Searches enabled in graylog.conf: allow_leading_wildcard_searches = true

NXLog Example

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension gelf>
    Module xm_gelf
</Extension>
<Input in>
    # For windows vista/2008 and above use:
    Module      im_msvistalog

    # For windows 2003 and earlier use the following:
    #   Module      im_mseventlog
</Input>

<Output out> 
    Module      om_udp
    Host        graylog.server.com
    Port        5414
    OutputType  GELF
</Output>

<Route 1>
    Path        in => out
</Route>

Screenshots

Your Rating

Please sign in to rate this add-on.

Comments

farmergeoff2003 3 months ago

I was able to import the content-pack but do not have a new stream or dashboard. I do see the various different variables from the windows logon content but how do i get the pretty dashboard from the screenshots? Does it have to be made manually?

Witell24 4 months ago

Has anyone had any luck getting this to work with Graylog 3?

elincognito 5 months ago

stanislaushoppe 8 months ago

more people need to use graylog

stanislaushoppe 8 months ago

works fine thank you

stanislaushoppe 8 months ago

lol

Fodmidoid 9 months ago

I managed to get this working by opening port(s) on the Graylog firewall. The only thing I'm having trouble with now is getting DNS results to show up for this content pack. If anyone could point me in the right direction, I'd appreciate it. Thanks.

Fodmidoid 9 months ago

If someone could please help, I would be so grateful.

The content pack installed correctly.
When I configured the nxlog file on my DC to point to the graylog server and added _UDP after the GELF in the output section.
I enabled all of the Group policy Objects indicated in the readme (** Audit Account Logon Events ** Audit Account Management ** Audit Logon Events ** Audit Object Access ** Audit Policy Change ** Audit System Events).
I have another GELF_TCP input working, collecting windows server event logs working fine for port 12201 with nxlog, so I’ve done this correctly, at least once before :)

I’m including my nxlog file below. If someone can please tell me what I’m missing, It would be greatly appreciated. I’ve been at this all day. Thank you in advance.

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

Module xm_gelf

# For windows vista/2008 and above use:
Module im_msvistalog

Module om_udp
Host 10.0.0.15
Port 5414
OutputType GELF_UDP

Path in => out

ArkShocer 9 months ago

Still works fine on GrayLog 2.4.6

leomorato 11 months ago

How to Install this dashboard?

jhgfdsdfghjkl over 1 year ago

Selmack almost 2 years ago

under "Output out" section. Sorry my words got cut off.

Selmack almost 2 years ago

michmich9337: if you copied and used the nxlog.conf file listed with no modifications, you need to specify the name of your graylog server instance or IP instead of "graylog.server.com" for "Host" under "".

michmich9337 about 2 years ago

Hi !
Does it need a query to be functionnal ?
Because i simply copy/paste nxlog.conf and no data is send :/

Thanks !

nsolver about 2 years ago

Hi Guys!!! I´m finding how install this Content Pack. Can, someone explain me how to install in my graylog ? Thanks!!!

Guruleenyc about 2 years ago

This is working great on Graylog 2.2.3. But I just don't have data for the DNS related dashboards and I think its due to my nxlog filter not sending associated eventID's.

Guruleenyc about 2 years ago

Just installed this on Graylog 2.2.3 and it appears to be working at first glance. Will report back on usage. Thank you!

Guruleenyc about 2 years ago

Does this work with Graylog 2.2.3?

omfgzlolz about 2 years ago

Hopefully this will help somebody out, this is our configuration that we use for our domain controllers:

##
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

Module xm_gelf

Module im_msvistalog
Exec if not ($Severity == 'ERROR' or $Severity == 'CRITICAL' or $EventID IN (624, 630, 631, 634, 635, 638, 658, 662, 4624, 4625, 4720, 4726, 4727, 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4735, 4737, 4740, 4741, 4742, 4743, 4754, 4755, 4756, 4757, 4758, 4764, 4767)) drop();
Exec if ($EventID == 4769) drop();

Module om_udp
Host server.domain.com
Port 5414
OutputType GELF

Path in => out

theherodied over 2 years ago

Never mind. I forgot to allow leading wildcard searches in the server.conf

theherodied over 2 years ago

I'm receiving malformed search queries for the dns dashboard. It doesn't like "SubjectUserName:*$"
Any ideas?

The given query was malformed at the following position:

EventID:5137 AND ObjectClass:dnsNode AND created AND NOT (SubjectUserName:*$ OR SubjectUserName:SYSTEM OR SubjectUserName:\-)

Error Message:
Cannot parse 'EventID:5137 AND ObjectClass:dnsNode AND created AND NOT (SubjectUserName:*$ OR SubjectUserName:SYSTEM OR SubjectUserName:\-)': '*' or '?' not allowed as first character in WildcardQuery
Exception:
org.apache.lucene.queryparser.classic.ParseException

tbaraki over 2 years ago

This is working perfectly and auditing logon events for our domain controllers themselves. It is not capturing any data from workstations or other servers on the domain, however. Is this the correct behavior by default? If so, how can this be expanded to all domain-joined workstations and servers? Thanks.

webmastir over 2 years ago

@Nacy1: Yes. Did you enable the correct security policies on the DC(s)?

"Domain Controller security policy with the following enabled: ** Audit Account Logon Events ** Audit Account Managmenet ** Audit Logon Events ** Audit Object Access ** Audit Policy Change ** Audit System Events"

Nacy1 almost 3 years ago

Does this work for Windows 12 R2 as I have installed and nothing is happening. dashboard is empty. Are there any extra steps to populate the dashboard.

JulioQc almost 3 years ago

Worked very well thank you :)
Might be interesting to make this fully PCI compliant!

mbuyukkarakas over 3 years ago

Hello, after downloading the .json file, I'm trying to upload to my graylog server (v1.2) and after importing successfully I dont see nothing happens.
No dashboards, no inputs, no streams.

Any idea about this ?
Thank you.

123dev over 3 years ago

@reighnman
Thanks, Logged.
As for Graylog including all Extractors for all content packs, I think it also does the same for Inputs, GROK patterns.
Perhaps it's best to separate those into a content pack of their own, and update the docs, to include the dependent pack only once (just a thought).

Thanks

reighnman over 3 years ago

@ltb76 , I use the same input for AD and DNS auditing which I've created separate content packs for. Unfortunately graylog includes all extractors for the given input so I need to remember to manually remove them if they don't apply.

reighnman over 3 years ago

@123dev, please open an issue on github project page. Are you using pre-2008 domain controllers?

123dev over 3 years ago

Looks like a great content pack,
I wonder where the facility information is supposed to come from?
nxlog is forwarding all the events to graylog, and I can see them in graylog, yet the dashboards don't display anything.

Digging further I noticed that all the queries are checking for the facility filed.
"AND facility:Microsoft\\-Windows\\-Security\\-Auditing"
Our logs does nxlog config file needs to be customized to add that field?
Or is this dependent the Domain controller version to include it in the events?

Anyways I tried to edit the dashboard query to remove the "AND facility:Microsoft\\-Windows\\-Security\\-Auditing"
but on dashboard update I got the following error message.
"Could not update widget
Updating widget "Group Deleted" failed with status: Gateway Timeout"
Not sure if this a graylog bug or something wrong with the widget
I have no problems updating widgets that we have created.

Next I removed all the dashboards added by this content pack and deleted the content pack
edited the json file and updated all the queries to remove
"AND facility:Microsoft\\-Windows\\-Security\\-Auditing"
Saved and imported back.

Dashboards still don't show any data, however clicking the play button on any widget in the dashboard opens up graylog query that shows data, so that tells me that the updated query is correct.

Why is the dashboard not showing any data? all values are "N/A"

Thanks

ltb76 over 3 years ago

nice work :)
It contains the dashboard for DNS, but it looks like the GROK patterns for DNS logs are missing though.

smarechal over 3 years ago

Very great! Thanks a lot!

Please sign in to comment.

Back to listing