Microsoft Active Directory Domain Controller
Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. An AD domain controller responds to security authentication requests within a Windows domain. Most Active Directory logging, especially for security-related activity, is done via the Windows Event Log.
Active Directory security events
Windows Server generates events for suspicious activities, including attempts
to change Active Directory modes or attempted replay attacks. Security events
can be monitored through the Windows Event Log. Events specific to domain
controller security are logged with event source ActiveDirectory_DomainService.
For a full list of Active Directory events that should be monitored, see Events to Monitor on Microsoft Docs.
| Event ID | Description |
|---|---|
4618 |
A monitored security event pattern has occurred. |
4649 |
A replay attack was detected. May be a harmless false positive due to a misconfiguration error. |
4719 |
System audit policy was changed. |
4765 |
SID History was added to an account. |
4766 |
An attempt to add SID History to an account failed. |
4794 |
An attempt was made to set the Directory Services Restore Mode. |
4897 |
Role separation was enabled. |
4964 |
Special groups have been assigned to a new logon. |
5124 |
A security setting was updated on OCSP Responder Service. |
1102 |
The audit log was cleared. |
In this example, im_msvistalog is used to capture the most important security-related events on a Windows Server 2012/2016 domain controller.
| The Event Log supports a limited number of event IDs in a query. Due to this limitation, an Exec block is used to match the required event IDs rather than listing every event ID in the query. |
define SecurityIDs 4618, 4649, 4719, 4765, 4766, 4794, 4897, 4964, 5124, \
4621, 4675, 4692, 4693, 4706, 4713, 4714, 4715, 4716, \
4724, 4727, 4735, 4737, 4739, 4754, 4755, 4764, 4780, \
4816, 4865, 4866, 4867, 4868, 4870, 4882, 4885, 4890, \
4892, 4896, 4906, 4907, 4908, 4912, 4960, 4961, 4962, \
4963, 4965, 4976, 4977, 4978, 4983, 4984, 5027, 5028, \
5029, 5030, 5035, 5037, 5038, 5120, 5121, 5122, 5123, \
5376, 5377, 5453, 5480, 5483, 5484, 5485, 6145, 6273, \
6274, 6275, 6276, 6277, 6278, 6279, 6280, 4608, 4609, \
4610, 4611, 4612, 4614, 4615, 4616, 4624, 4625, 4634, \
4647, 4648, 4656, 4657, 4658, 4660, 4661, 4662, 4663, \
4672, 4673, 4674, 4688, 4689, 4690, 4691, 4696, 4697, \
4698, 4699, 4700, 4701, 4702, 4704, 4705, 4707, 4717, \
4718, 4720, 4722, 4723, 4725, 4726, 4728, 4729, 4730, \
4731, 4732, 4733, 4734, 4738, 4740, 4741, 4742, 4743, \
4744, 4745, 4746, 4747, 4748, 4749, 4750, 4751, 4752, \
4753, 4756, 4757, 4758, 4759, 4760, 4761, 4762, 4767, \
4768, 4769, 4770, 4771, 4772, 4774, 4775, 4776, 4778, \
4779, 4781, 4783, 4785, 4786, 4787, 4788, 4789, 4790, \
4869, 4871, 4872, 4873, 4874, 4875, 4876, 4877, 4878, \
4879, 4880, 4881, 4883, 4884, 4886, 4887, 4888, 4889, \
4891, 4893, 4894, 4895, 4898, 5136, 5137
define BitLockerIDs 24586, 24592, 24593, 24594
define EventlogID 1102
define SecuritySrc Microsoft-Windows-Security-Auditing
define BitLockerSrc Microsoft-Windows-BitLocker-Driver
define EventlogSrc Microsoft-Windows-Eventlog
<Input events>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="Security">*[System[Provider[
@Name='%EventlogSrc%' or
@Name='%SecuritySrc%']]]
</Select>
<Select Path="System">*[System[Provider[
@Name='%BitLockerSrc%']]]
</Select>
</Query>
</QueryList>
</QueryXML>
<Exec>
if not (defined($SourceName) and
(($EventID IN (%SecurityIDs%) and $SourceName == "%SecuritySrc%") or
($EventID IN (%BitLockerIDs%) and $SourceName == "%BitLockerSrc%") or
($EventID == %EventlogID% and $SourceName == "%EventlogSrc%")))
drop();
</Exec>
</Input>Advanced security audit policy
Additional logging can be enabled via the Group Policy Advanced Audit Policy. This policy provides a more granular level of information about security changes. To enable the Advanced Audit Policy on Windows Server 2012 and above, follow these steps:
-
Log in to the server as Domain Administrator.
-
Load the Group Policy Management Editor from Server Manager > Tools.
-
Expand the Domain Controllers organizational unit (OU), right-click on Default Domain Controllers Policy, and click Edit.
-
Go to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > DS Access.
-
Enable the four listed polices to provide access to Windows security auditing events.
For more information on configuring the Advanced Security Auditing Policy and descriptions of event IDs, please view Step-By-Step: Enabling Advanced Security Audit Policy via DS Access on Microsoft Docs.
Once security auditing has been enabled, the related events can be queried and collected from Windows Event Log by NXLog with the im_msvistalog module. This configuration collects all Windows security auditing events that have an event level of critical, warning, or error.
<Input SecurityAuditEvents>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[Provider[@Name='Microsoft-Windows
-Security-Auditing'] and (Level=1 or Level=2 or Level=3) and
((EventID=4928 and EventID=4931) or (EventID=4932 and EventID=4937)
or EventID=4662 or (EventID=5136 and EventID = 5141))]]</Select>
</Query>
</QueryList>
</QueryXML>
</Input>Troubleshooting Domain Controller promotions and installations
The %systemroot%\debug\dcpromo.log log file stores information about installations, promotions, and demotions of domain controllers.
Successive runs of dcpromo will write to other log files at %systemroot%\debug\dcpromo.001.log, etc.
For more information on troubleshooting domain controller promotions and installations, please view Troubleshooting Domain Controller Deployment.
This configuration uses the im_file module to read from all dcpromo log files. Each event is parsed with a regular expression, and then the timestamp is parsed with the parsedate() function.
10/02/2018 04:43:47 [INFO] Creating directory partition: CN=Configuration,DC=nxlog,DC=org; 1270 objects remaining
10/02/2018 04:43:47 [INFO] Creating directory partition: CN=Configuration,DC=nxlog,DC=org; 1269 objects remaining
10/02/2018 04:43:47 [INFO] Creating directory partition: CN=Configuration,DC=nxlog,DC=org; 1268 objects remaining<Input dcpromo>
Module im_file
File "%systemroot%\debug\DCPROMO.log"
File "%systemroot%\debug\DCPROMO.*.log"
<Exec>
if $raw_event =~ /^(\S+ \S+) \[(\S+)\] (.+)$/
{
$EventTime = parsedate($1);
$Severity = $2;
$Message = $3;
}
</Exec>
</Input>