Just to clarify, I needed to configure Advanced Audit Configuration in GP, including:
Audit Computer Account Management Success, Failure
Audit Distribution Group Management Success, Failure
Audit Security Group Management Success, Failure
Audit User Account Management Success, Failure
Audit Directory Service Access Success, Failure
Audit Directory Service Changes Success, Failure
... View more
I was having this issue and just recently resolved it.
I troubleshot this by searching for
|eventtype=msad-successful-user-logons|
which returned no results. Further investigation revealed that no eventlog:security items were being indexed.
I searched
|eventtype=msad-dc-health |
which is generated on the universal forwarder from powershell scripts enabled in inputs.conf. This returned current data normally.
I determined that the UF was configured correctly and was sending data, which was being received and stored in the correct index, and that active directory audit data was not being generated.
I resolved the issue by manually configuring a new set of audit GPs, applying it to my domain controller OU, and setting the "enforced" attribute in GPMC.
... View more