Active Directory Auditing (NXLOG)

Content Pack

reighnman

free!

Download from Github View on Github 1 26

Published

23 Sep 14:25

Last Push

11 May 09:38

Marketplace Rating

Discussion

23 Comments

Readme from Github

Active Directory Auditing Content Pack

Tested with nxLog/Windows 2008R2 Domain Controllers/Graylog 1.2

This content pack provides several useful dashboards for auditing Active Directory events:

DNS Object Summary - DNS Creations, Deletions
Group Object Summary - Group Creations, Modifications, Deletions, Membership Changes
User Object Summary - Account Creations, Deletions, Modifications, Lockouts, Unlocks
Computer Object Summary - (in progress)
Logon Summary - Failed Authentication Attempts, Interactive Logins

Includes

Input (GELF udp 5414)
Failed Logon Stream (unconfigured)
Dashboards

Requirements

NXLog collecting windows logs, other log collectors will work but may require modifying the searches to match the different fields outputted by other collectors
Domain Controller secuirty policy with the following enabled: ** Audit Account Logon Events ** Audit Account Managmenet ** Audit Logon Events ** Audit Object Access ** Audit Policy Change ** Audit System Events
Leading Wildcard Searches enabled in graylog.conf: allow_leading_wildcard_searches = true

NXLog Example

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension gelf>
    Module xm_gelf
</Extension>
<Input in>
    # For windows vista/2008 and above use:
    Module      im_msvistalog

    # For windows 2003 and earlier use the following:
    #   Module      im_mseventlog
</Input>

<Output out> 
    Module      om_udp
    Host        graylog.server.com
    Port        5414
    OutputType  GELF
</Output>

<Route 1>
    Path        in => out
</Route>

Screenshots

Your Rating

Please sign in to rate this add-on.

Comments

jhgfdsdfghjkl 9 months ago

Selmack 12 months ago

under "Output out" section. Sorry my words got cut off.

Selmack 12 months ago

michmich9337: if you copied and used the nxlog.conf file listed with no modifications, you need to specify the name of your graylog server instance or IP instead of "graylog.server.com" for "Host" under "".

michmich9337 about 1 year ago

Hi !
Does it need a query to be functionnal ?
Because i simply copy/paste nxlog.conf and no data is send :/

Thanks !

nsolver about 1 year ago

Hi Guys!!! I´m finding how install this Content Pack. Can, someone explain me how to install in my graylog ? Thanks!!!

Guruleenyc about 1 year ago

This is working great on Graylog 2.2.3. But I just don't have data for the DNS related dashboards and I think its due to my nxlog filter not sending associated eventID's.

Guruleenyc about 1 year ago

Just installed this on Graylog 2.2.3 and it appears to be working at first glance. Will report back on usage. Thank you!

Guruleenyc about 1 year ago

Does this work with Graylog 2.2.3?

omfgzlolz about 1 year ago

Hopefully this will help somebody out, this is our configuration that we use for our domain controllers:

##
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

Module xm_gelf

Module im_msvistalog
Exec if not ($Severity == 'ERROR' or $Severity == 'CRITICAL' or $EventID IN (624, 630, 631, 634, 635, 638, 658, 662, 4624, 4625, 4720, 4726, 4727, 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4735, 4737, 4740, 4741, 4742, 4743, 4754, 4755, 4756, 4757, 4758, 4764, 4767)) drop();
Exec if ($EventID == 4769) drop();

Module om_udp
Host server.domain.com
Port 5414
OutputType GELF

Path in => out

theherodied over 1 year ago

Never mind. I forgot to allow leading wildcard searches in the server.conf

theherodied over 1 year ago

I'm receiving malformed search queries for the dns dashboard. It doesn't like "SubjectUserName:*$"
Any ideas?

The given query was malformed at the following position:

EventID:5137 AND ObjectClass:dnsNode AND created AND NOT (SubjectUserName:*$ OR SubjectUserName:SYSTEM OR SubjectUserName:\-)

Error Message:
Cannot parse 'EventID:5137 AND ObjectClass:dnsNode AND created AND NOT (SubjectUserName:*$ OR SubjectUserName:SYSTEM OR SubjectUserName:\-)': '*' or '?' not allowed as first character in WildcardQuery
Exception:
org.apache.lucene.queryparser.classic.ParseException

tbaraki over 1 year ago

This is working perfectly and auditing logon events for our domain controllers themselves. It is not capturing any data from workstations or other servers on the domain, however. Is this the correct behavior by default? If so, how can this be expanded to all domain-joined workstations and servers? Thanks.

webmastir over 1 year ago

@Nacy1: Yes. Did you enable the correct security policies on the DC(s)?

"Domain Controller security policy with the following enabled: ** Audit Account Logon Events ** Audit Account Managmenet ** Audit Logon Events ** Audit Object Access ** Audit Policy Change ** Audit System Events"

Nacy1 over 1 year ago

Does this work for Windows 12 R2 as I have installed and nothing is happening. dashboard is empty. Are there any extra steps to populate the dashboard.

JulioQc almost 2 years ago

Worked very well thank you :)
Might be interesting to make this fully PCI compliant!

mbuyukkarakas over 2 years ago

Hello, after downloading the .json file, I'm trying to upload to my graylog server (v1.2) and after importing successfully I dont see nothing happens.
No dashboards, no inputs, no streams.

Any idea about this ?
Thank you.

123dev over 2 years ago

@reighnman
Thanks, Logged.
As for Graylog including all Extractors for all content packs, I think it also does the same for Inputs, GROK patterns.
Perhaps it's best to separate those into a content pack of their own, and update the docs, to include the dependent pack only once (just a thought).

Thanks

reighnman over 2 years ago

@ltb76 , I use the same input for AD and DNS auditing which I've created separate content packs for. Unfortunately graylog includes all extractors for the given input so I need to remember to manually remove them if they don't apply.

reighnman over 2 years ago

@123dev, please open an issue on github project page. Are you using pre-2008 domain controllers?

123dev over 2 years ago

Looks like a great content pack,
I wonder where the facility information is supposed to come from?
nxlog is forwarding all the events to graylog, and I can see them in graylog, yet the dashboards don't display anything.

Digging further I noticed that all the queries are checking for the facility filed.
"AND facility:Microsoft\\-Windows\\-Security\\-Auditing"
Our logs does nxlog config file needs to be customized to add that field?
Or is this dependent the Domain controller version to include it in the events?

Anyways I tried to edit the dashboard query to remove the "AND facility:Microsoft\\-Windows\\-Security\\-Auditing"
but on dashboard update I got the following error message.
"Could not update widget
Updating widget "Group Deleted" failed with status: Gateway Timeout"
Not sure if this a graylog bug or something wrong with the widget
I have no problems updating widgets that we have created.

Next I removed all the dashboards added by this content pack and deleted the content pack
edited the json file and updated all the queries to remove
"AND facility:Microsoft\\-Windows\\-Security\\-Auditing"
Saved and imported back.

Dashboards still don't show any data, however clicking the play button on any widget in the dashboard opens up graylog query that shows data, so that tells me that the updated query is correct.

Why is the dashboard not showing any data? all values are "N/A"

Thanks

ltb76 over 2 years ago

nice work :)
It contains the dashboard for DNS, but it looks like the GROK patterns for DNS logs are missing though.

smarechal over 2 years ago

Very great! Thanks a lot!

Please sign in to comment.

Back to listing