Return to
Portfolio

69. Microsoft Active Directory Domain Controller

Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. An AD domain controller responds to security authentication requests within a Windows domain. Most domain controller logging, especially for security related activity, is done via the Windows EventLog.

69.1. Active Directory Security Events

Windows Server generates events for suspicious activities, including attempts to change Active Directory modes, or attempted replay attacks. Security events can be monitored through the Windows EventLog. Events specific to domain controller security are stored in the EventLog Event source ActiveDirectory_DomainService.

For a full list of Active Directory events that should be monitored, see Events to Monitor on Microsoft Docs.

Table 32. Active Directory Events With High Potential Criticality
Event ID Description

4618

A monitored security event pattern has occurred.

4649

A replay attack was detected. May be a harmless false positive due to a misconfiguration error.

4719

System audit policy was changed.

4765

SID History was added to an account.

4766

An attempt to add SID History to an account failed.

4794

An attempt was made to set the Directory Services Restore Mode.

4897

Role separation was enabled.

4964

Special groups have been assigned to a new logon.

5124

A security setting was updated on OCSP Responder Service.

1102

The audit log was cleared.
Example 301. Collecting Active Directory Security Events

In this example, im_msvistalog is used to capture the most important security-related events on a Windows Server 2012/2016 domain controller.

Note
 The EventLog supports a limited number of Event IDs in a query. Due to this limitation, an Exec block is used to match the required Event IDs rather than listing every Event ID in the query.
nxlog.conf [Download file]

  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41


  
define HighEventIds    4618, 4649, 4719, 4765, 4766, 4794, 4897, 4964, 5124, 1102

define MediumEventIds  4621, 4675, 4692, 4693, 4706, 4713, 4714, 4715, 4716, 4724, \
                       4727, 4735, 4737, 4739, 4754, 4755, 4764, 4764, 4780, 4816, \
                       4865, 4866, 4867, 4868, 4870, 4882, 4885, 4890, 4892, 4896, \
                       4906, 4907, 4908, 4912, 4960, 4961, 4962, 4963, 4965, 4976, \
                       4977, 4978, 4983, 4984, 5027, 5028, 5029, 5030, 5035, 5037, \
                       5038, 5120, 5121, 5122, 5123, 5376, 5377, 5453, 5480, 5483, \
                       5484, 5485, 6145, 6273, 6274, 6275, 6276, 6277, 6278, 6279, \
                       6280, 24586, 24592, 24593, 24594

define LowEventIds     4608, 4609, 4610, 4611, 4612, 4614, 4615, 4616, 4624, 4625, \
                       4634, 4647, 4648, 4656, 4657, 4658, 4660, 4661, 4662, 4663, \
                       4672, 4673, 4674, 4688, 4689, 4690, 4691, 4696, 4697, 4698, \
                       4699, 4700, 4701, 4702, 4704, 4705, 4707, 4717, 4718, 4720, \
                       4722, 4723, 4725, 4726, 4728, 4729, 4730, 4731, 4732, 4733, \
                       4734, 4738, 4740, 4741, 4742, 4743, 4744, 4745, 4746, 4747, \
                       4748, 4749, 4750, 4751, 4752, 4753, 4756, 4757, 4758, 4759, \
                       4760, 4761, 4762, 4767, 4768, 4769, 4770, 4771, 4772, 4774, \
                       4775, 4776, 4778, 4779, 4781, 4783, 4785, 4786, 4787, 4788, \
                       4789, 4790, 4869, 4871, 4872, 4873, 4874, 4875, 4876, 4877, \
                       4878, 4879, 4880, 4881, 4883, 4884, 4886, 4887, 4888, 4889, \
                       4891, 4893, 4894, 4895, 4898, 5136, 5137

<Input events>
    Module im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id="0" Path="Directory Service">
                <Select Path="Directory Service">*[System[Provider[
                    @Name='Microsoft-Windows-ActiveDirectory_DomainService']]]
                </Select>
            </Query>
         </QueryList>
    </QueryXML>
    <Exec>
        if $EventID NOT IN (%HighEventIds%) and
           $EventID NOT IN (%MediumEventIds%) and
           $EventID NOT IN (%LowEventIds%) drop();
    </Exec>
</Input>

69.2. Advanced Security Audit Policy

Additional logging can be enabled via the Group Policy Advanced Audit Policy. This policy provides a more granular level of information about security changes. To enable the Advanced Audit Policy on Windows Server 2012 and above, follow these steps:

  1. Log in to the server as Domain Administrator.

  2. Load the Group Policy Management Editor from Server Manager > Tools.

  3. Expand the Domain Controllers organizational unit (OU), right-click on Default Domain Controllers Policy, and click Edit.

    Group Policy Management

  4. Go to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > DS Access.

    Group Policy Management

  5. Enable the four listed polices to provide access to security auditing events.

For more information on configuring the Advanced Security Auditing Policy, and descriptions of event IDs, please view Step-By-Step: Enabling Advanced Security Audit Policy via DS Access on Microsoft TechNet.

Example 302. Collecting Auditing Policy events via im_msvistalog

Once security auditing has been enabled, the related events in the EventLog can be queried and collected by NXLog with the im_msvistalog module. This configuration collects all Windows Security Auditing events that have an Event Level of critical, warning, or error.

nxlog.conf [Download file]

  
1
2
3
4
5
6
7
8
9
10
11
12
13


  
<Input SecurityAuditEvents>
    Module im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id="0" Path="Security">
                <Select Path="Security">*[System[Provider[@Name='Microsoft-Windows
                -Security-Auditing'] and (Level=1 or Level=2 or Level=3) and
                ((EventID=4928 and EventID=4931) or (EventID=4932 and EventID=4937)
                or EventID=4662 or (EventID=5136 and EventID = 5141))]]</Select>
            </Query>
         </QueryList>
    </QueryXML>
</Input>

69.3. Troubleshooting Domain Controller Promotions and Installations

The %systemroot%\debug\dcpromo.log log file stores information about installations, promotions, and demotions of domain controllers. Successive runs of dcpromo will write to other log files at %systemroot%\debug\dcpromo.001.log, etc.a

For more information on troubleshooting domain controller promotions and installations, please view Troubleshooting Domain Controller Deployment

Example 303. Collecting dcpromo Log Messages via im_file

This configuration uses the im_file module to read from all dcpromo log files. Each event is parsed with a regular expression, and then the timestamp is parsed with the parsedate() function.

Log Sample
10/02/2018 04:43:47 [INFO] Creating directory partition: CN=Configuration,DC=nxlog,DC=org; 1270 objects remaining
10/02/2018 04:43:47 [INFO] Creating directory partition: CN=Configuration,DC=nxlog,DC=org; 1269 objects remaining
10/02/2018 04:43:47 [INFO] Creating directory partition: CN=Configuration,DC=nxlog,DC=org; 1268 objects remaining
nxlog.conf [Download file]

  
1
2
3
4
5
6
7
8
9
10
11
12
13


  
<Input dcpromo>
    Module  im_file
    File    "%systemroot%\debug\DCPROMO.log"
    File    "%systemroot%\debug\DCPROMO.*.log"
    <Exec>
        if $raw_event =~ /^(\S+ \S+) \[(\S+)\] (.+)$/
        {
            $EventTime = parsedate($1);
            $Severity = $2;
            $Message = $3;
        }
    </Exec>
</Input>

← Previous: McAfee Enterprise Security Manager (ESM) | ↑ Up: Integration | ⌂ Home: NXLog User Guide | Next: Microsoft Azure →