Hi @gcusello 

What stanza should I insert in inputs .conf to monitor all the client accesses to the DC?

and what do you mean by local events?

Hi @hazem ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

@gcuselloYou're confusing us a bit here 😉

Domain Controllers have their own logs. They reflect what's going on on those DCs. So they will contain the information about the domain activities but they will not contain the information about local activities on the workstations.

This distinction is important because if a user A tries to access a file share \\B\C$ logging in from workstation D, you will see domain Security events from Kerberos activity both from initial login to D as well as from B but you will not see whether - for example - if user A was actually granted access to the share \\B\C$ because he might have not simply been granted permissions to the share. It has nothing to do with the authentication process which involves the DC. Authorization here is a local thing and logs (I think you have to explicitly enable access auditing BTW) will not be available on the DC because logs by default are not "forwarded" anywhere.

Hi @PickleRick ,

you said in a perfect way what I tried to explain: on DC there are the connection events (e.g. 4524 or 4634 etc...) but not the local events fron the clients.

For this reason I hinted to install the UF also on Clients and not only on DC.

Ciao and thanks for the details.

Giuseppe

Each Windows computer gathers security events pertaining to this particular computer. So domain controllers log in all activity that occurs on them - domain log ins, domain log outs and so on. Workstations log into their own Security Eventlog events which occur on them - like local log ins and log outs.

So there is no way to get local events from those workstations by looking in the domain controllers' event logs. These are two separate things.

You need to ingest Security eventlogs from those workstations. You can get them either by installing UF on each of them and ingest local eventlog from each of those workstations or by setting up a WEF collector and setting up a forwarding policy so that you gather logs centrally. And from this central collector you'd pull them with a UF. There are also additional ways but these are the only two reasonable ones.