topic Re: monitoring workstation domains from active directory in Security

monitoring workstation domains from active directory

hazem — Sun, 03 Nov 2024 13:41:40 GMT

We have 500 domain workstations, and we have installed Splunk Universal Forwarders (UF) on the Active Directory server. The question is, how can we monitor the security logs of those workstations from the Universal Forwarder installed on the Active Directory server?

Re: monitoring workstation domains from active directory

gcusello — Sun, 03 Nov 2024 15:46:18 GMT

Hi @hazem ,

having the UF on the Domain Controller you can monitor all the accesses to the DC from the clients but not the local events from each server.

To have local events, you have to install UF on each client.

Ciao.

Giuseppe

Re: monitoring workstation domains from active directory

hazem — Sun, 03 Nov 2024 17:36:44 GMT

Hi @gcusello

What stanza should I insert in inputs .conf to monitor all the client accesses to the DC?

and what do you mean by local events?

Re: monitoring workstation domains from active directory

PickleRick — Sun, 03 Nov 2024 20:59:13 GMT

Each Windows computer gathers security events pertaining to this particular computer. So domain controllers log in all activity that occurs on them - domain log ins, domain log outs and so on. Workstations log into their own Security Eventlog events which occur on them - like local log ins and log outs.

So there is no way to get local events from those workstations by looking in the domain controllers' event logs. These are two separate things.

You need to ingest Security eventlogs from those workstations. You can get them either by installing UF on each of them and ingest local eventlog from each of those workstations or by setting up a WEF collector and setting up a forwarding policy so that you gather logs centrally. And from this central collector you'd pull them with a UF. There are also additional ways but these are the only two reasonable ones.

Re: monitoring workstation domains from active directory

gcusello — Mon, 04 Nov 2024 08:40:27 GMT

Hi @hazem ,

taking the logs from the DC, you have all the events from all the clients and you can have Security, System and Application logs.

Obviously you don't have local events e.g. local users accesses.

Ciao.

Giuseppe

Re: monitoring workstation domains from active directory

PickleRick — Mon, 04 Nov 2024 09:19:40 GMT

@gcuselloYou're confusing us a bit here 😉

Domain Controllers have their own logs. They reflect what's going on on those DCs. So they will contain the information about the domain activities but they will not contain the information about local activities on the workstations.

This distinction is important because if a user A tries to access a file share \\B\C$ logging in from workstation D, you will see domain Security events from Kerberos activity both from initial login to D as well as from B but you will not see whether - for example - if user A was actually granted access to the share \\B\C$ because he might have not simply been granted permissions to the share. It has nothing to do with the authentication process which involves the DC. Authorization here is a local thing and logs (I think you have to explicitly enable access auditing BTW) will not be available on the DC because logs by default are not "forwarded" anywhere.

Re: monitoring workstation domains from active directory

gcusello — Mon, 04 Nov 2024 13:30:28 GMT

Hi @PickleRick ,

you said in a perfect way what I tried to explain: on DC there are the connection events (e.g. 4524 or 4634 etc...) but not the local events fron the clients.

For this reason I hinted to install the UF also on Clients and not only on DC.

Ciao and thanks for the details.

Giuseppe

Re: monitoring workstation domains from active directory

gcusello — Tue, 05 Nov 2024 07:45:33 GMT

Hi @hazem ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉