Archive

Including log events from Microsoft Direct Access

Path Finder

Hi,

We would like to forward log events from a Microsoft Direct Access server into Splunk. I've installed the universal forwarder on the DA server and Application and Security events from the event viewer are forwarded to an intermediate heavy forwarder. The “pure” DA logs are written to a local Windows database or sent to a RADIUS server. Do you have recommendations on how to get this data into Splunk?

Thanks 🙂

Anne Beate

0 Karma

Communicator

I've managed to put together quick and dirty script for this use case. So after quite some research I figured out that the best option is to play around with Get-RemoteAccessConnectionStatistics powershell script which requires elevated permissions to be run. Since I haven't found a way how to run powershell script from splunk forwarder with elevated permission I run it as Scheduled Task every minute and export newly established connections into file, which is then read by splunk forwarder.

Here is the powershell script which is installed on my DirectAccess server:

# get last written connection time and specify today     
If (Test-Path "$PSScriptRoot\maxConnectionTime.txt")  {
    $MaxConnectionTime = Get-Content -path "$PSScriptRoot\maxConnectionTime.txt"  -Raw
}
Else {
    $MaxConnectionTime = Get-Date -format "yyyy-MM-dd 00:00:00"
}
$today = Get-Date -format "yyyy-MM-dd"

#housekeeping - make new file accessible - fast & dirty
$acl = Get-Acl "$PSScriptRoot\data\$today-connections.txt"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("everyone","FullControl","Allow")
$acl.SetAccessRule($accessRule)
$acl | Set-Acl "$PSScriptRoot\data\$today-connections.txt"


# get remote access connection statistics
$connections = Get-RemoteAccessConnectionStatistics -StartDateTime $MaxConnectionTime

# loop trough results and write them to file if they are newer then last time inputted
ForEach ($connection in $connections) 
{
    $date = Get-Date -Format "yyyy-MM-dd HH:mm:ss" $connection.ConnectionStartTime
    If ($date -gt $MaxConnectionTime)
    {
        Add-Content -Path "$PSScriptRoot\data\$today-connections.txt" -Value "ConnectionTime='$date' SessionID=$($connection.SessionId) ClientIPv4Address=$($connection.ClientIPv4Address) ClientIPv6Address=$($connection.ClientIPv6Address) ClientAddress=$($connection.ClientAddress) ConnectionType=$($connection.ConnectionType) HostName=$($connection.HostName) UserName=$($connection.UserName)"

        $MaxConnectionTime = $date
    }
}

# update time
Write-Output $MaxConnectionTime | Out-file "$PSScriptRoot\maxConnectionTime.txt"


# housekeeping - delete old files
$CurrentDate = Get-Date
$DatetoDelete = $CurrentDate.AddDays(-7)
Get-ChildItem "$PSScriptRoot\data\" | Where-Object { $_.LastWriteTime -lt $DatetoDelete } | Remove-Item

And here is the content of my inputs.conf:

[monitor://$SPLUNK_HOME/etc/apps/myorg_security_microsoft_directaccess_inputs/bin/data/]
sourcetype = DirectAccessConnections
index=myorg_vpn

As a note: I couldn't bring the script into life if specified "Start in" option in Scheduled Task. I had to add the following arguments to the Scheduled Task action:

-ExecutionPolicy Bypass -File "C:\Program Files\SplunkUniversalForwarder\etc\apps\myorg_security_microsoft_directaccess_inputs\bin\GetRemoteAccessConnection.ps1"
0 Karma

Engager

Wow, we are looking to do the same thing and are having a hard time.
All we are really looking for is where the local log files inside of DA are located that will show UserName and Logon/Logoff times.

Would also be great to have any logoff/disconnection error codes in case a user who loses internet at home has a different logged event than a user who manually initiates a log off of the laptop running DA.

Has anyone been able to find this local log? if we can locate that, we can set splunk up to monitor a remote folder and grab the data every time that directory changes and index for reporting.

Path Finder

Hi

I don't know if this helps, but we are doing exactly the same for a customer at the moment, but have ruled out the database connection using DBX, instead we are setting up something to receive the radius logs, IAS in this customers scenario. The Direct access server is then sending it's logs via radius logging. We are then writing the logs to disk using IAS and reading them in with a simple file monitor in the UF.

I hope this helps you.

Thanks
Darren

Path Finder

Hello,

Anybody got an update on this ?

Regards,

0 Karma