Solved: Re: How to monitor Microsoft CA logs on Server 200...

jodros · ‎07-29-2014

Has anyone been successful in monitoring Microsoft CA logs on Server 2008 R2? It looks as if they are being written to C:\Windows\System32\CertLog in EDB log format, which is not human readable. I want to say the EDB log format might also be used by Microsoft Exchange, so I don't know if any TA or SA for exchange could be leveraged.

Any assistance with this issue would be appreciated.

Thanks

jodros · ‎07-30-2014

Figured out the issue. There was an additional auditing setting that needed to be tweaked in the GPO before the CA events started showing up in the WinEventLog:Security. No need to try and figure out a way to monitor the edb files.

View solution in original post

jodros · ‎07-30-2014

Figured out the issue. There was an additional auditing setting that needed to be tweaked in the GPO before the CA events started showing up in the WinEventLog:Security. No need to try and figure out a way to monitor the edb files.

thambisetty · ‎03-24-2020

would be helpful, if you could provide how did you fix this.

————————————
If this helps, give a like below.

nabeel652 · ‎08-08-2016

Do you remember what change did you make in GPO in order to collect CerLog like EventCode=64 etc?

jlemoine · ‎12-11-2017

What was the solution?

jodros · ‎07-30-2014

early morning bump. No one is monitoring any Microsoft CA servers running on 2008 R2 with Splunk?

How to monitor Microsoft CA logs on Server 2008 R2?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases