NXLog Documentation

Microsoft Active Directory Domain Controller

Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. An AD domain controller responds to security authentication requests within a Windows domain. Most domain controller logging, especially for security related activity, is done via the Windows Event Log.

Active directory security events

Windows Server generates events for suspicious activities, including attempts to change Active Directory modes, or attempted replay attacks. Security events can be monitored through the Windows Event Log. Events specific to domain controller security are stored in the Event Log Event source ActiveDirectory_DomainService.

For a full list of Active Directory events that should be monitored, see Events to Monitor on Microsoft Docs.

Table 1. Active Directory events with high potential criticality
Event ID Description

4618

A monitored security event pattern has occurred.

4649

A replay attack was detected. May be a harmless false positive due to a misconfiguration error.

4719

System audit policy was changed.

4765

SID History was added to an account.

4766

An attempt to add SID History to an account failed.

4794

An attempt was made to set the Directory Services Restore Mode.

4897

Role separation was enabled.

4964

Special groups have been assigned to a new logon.

5124

A security setting was updated on OCSP Responder Service.

1102

The audit log was cleared.

Example 1. Collecting Active Directory security events

In this example, im_msvistalog is used to capture the most important security-related events on a Windows Server 2012/2016 domain controller.

The Event Log supports a limited number of Event IDs in a query. Due to this limitation, an Exec block is used to match the required Event IDs rather than listing every Event ID in the query.
nxlog.conf
define SecurityIDs     4618, 4649, 4719, 4765, 4766, 4794, 4897, 4964, 5124, \
                       4621, 4675, 4692, 4693, 4706, 4713, 4714, 4715, 4716, \
                       4724, 4727, 4735, 4737, 4739, 4754, 4755, 4764, 4780, \
                       4816, 4865, 4866, 4867, 4868, 4870, 4882, 4885, 4890, \
                       4892, 4896, 4906, 4907, 4908, 4912, 4960, 4961, 4962, \
                       4963, 4965, 4976, 4977, 4978, 4983, 4984, 5027, 5028, \
                       5029, 5030, 5035, 5037, 5038, 5120, 5121, 5122, 5123, \
                       5376, 5377, 5453, 5480, 5483, 5484, 5485, 6145, 6273, \
                       6274, 6275, 6276, 6277, 6278, 6279, 6280, 4608, 4609, \
                       4610, 4611, 4612, 4614, 4615, 4616, 4624, 4625, 4634, \
                       4647, 4648, 4656, 4657, 4658, 4660, 4661, 4662, 4663, \
                       4672, 4673, 4674, 4688, 4689, 4690, 4691, 4696, 4697, \
                       4698, 4699, 4700, 4701, 4702, 4704, 4705, 4707, 4717, \
                       4718, 4720, 4722, 4723, 4725, 4726, 4728, 4729, 4730, \
                       4731, 4732, 4733, 4734, 4738, 4740, 4741, 4742, 4743, \
                       4744, 4745, 4746, 4747, 4748, 4749, 4750, 4751, 4752, \
                       4753, 4756, 4757, 4758, 4759, 4760, 4761, 4762, 4767, \
                       4768, 4769, 4770, 4771, 4772, 4774, 4775, 4776, 4778, \
                       4779, 4781, 4783, 4785, 4786, 4787, 4788, 4789, 4790, \
                       4869, 4871, 4872, 4873, 4874, 4875, 4876, 4877, 4878, \
                       4879, 4880, 4881, 4883, 4884, 4886, 4887, 4888, 4889, \
                       4891, 4893, 4894, 4895, 4898, 5136, 5137

define BitLockerIDs    24586, 24592, 24593, 24594

define EventlogID      1102

define SecuritySrc     Microsoft-Windows-Security-Auditing
define BitLockerSrc    Microsoft-Windows-BitLocker-Driver
define EventlogSrc     Microsoft-Windows-Eventlog

<Input events>
    Module im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id="0">
                <Select Path="Security">*[System[Provider[
                    @Name='%EventlogSrc%' or
                    @Name='%SecuritySrc%']]]
                </Select>
                <Select Path="System">*[System[Provider[
                    @Name='%BitLockerSrc%']]]
               </Select>
            </Query>
         </QueryList>
    </QueryXML>
    <Exec>
        if not (defined($SourceName) and
           (($EventID IN (%SecurityIDs%) and $SourceName == "%SecuritySrc%") or
           ($EventID IN (%BitLockerIDs%) and $SourceName == "%BitLockerSrc%") or
           ($EventID == %EventlogID% and $SourceName == "%EventlogSrc%")))
           drop();
    </Exec>
</Input>

Advanced security audit policy

Additional logging can be enabled via the Group Policy Advanced Audit Policy. This policy provides a more granular level of information about security changes. To enable the Advanced Audit Policy on Windows Server 2012 and above, follow these steps:

  1. Log in to the server as Domain Administrator.

  2. Load the Group Policy Management Editor from Server Manager > Tools.

  3. Expand the Domain Controllers organizational unit (OU), right-click on Default Domain Controllers Policy, and click Edit.

    Group Policy Management
  4. Go to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > DS Access.

    Group Policy Management
  5. Enable the four listed polices to provide access to security auditing events.

For more information on configuring the Advanced Security Auditing Policy, and descriptions of event IDs, please view Step-By-Step: Enabling Advanced Security Audit Policy via DS Access on Microsoft TechNet.

Example 2. Collecting auditing policy events via im_msvistalog

Once security auditing has been enabled, the related events in the Event Log can be queried and collected by NXLog with the im_msvistalog module. This configuration collects all Windows Security Auditing events that have an Event Level of critical, warning, or error.

nxlog.conf
<Input SecurityAuditEvents>
    Module im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id="0" Path="Security">
                <Select Path="Security">*[System[Provider[@Name='Microsoft-Windows
                -Security-Auditing'] and (Level=1 or Level=2 or Level=3) and 
                ((EventID=4928 and EventID=4931) or (EventID=4932 and EventID=4937)
                or EventID=4662 or (EventID=5136 and EventID = 5141))]]</Select>
            </Query>
         </QueryList>
    </QueryXML>
</Input>

Troubleshooting Domain Controller promotions and installations

The %systemroot%\debug\dcpromo.log log file stores information about installations, promotions, and demotions of domain controllers. Successive runs of dcpromo will write to other log files at %systemroot%\debug\dcpromo.001.log, etc.a

For more information on troubleshooting domain controller promotions and installations, please view Troubleshooting Domain Controller Deployment

Example 3. Collecting dcpromo log messages via im_file

This configuration uses the im_file module to read from all dcpromo log files. Each event is parsed with a regular expression, and then the timestamp is parsed with the parsedate() function.

Log Sample
10/02/2018 04:43:47 [INFO] Creating directory partition: CN=Configuration,DC=nxlog,DC=org; 1270 objects remaining
10/02/2018 04:43:47 [INFO] Creating directory partition: CN=Configuration,DC=nxlog,DC=org; 1269 objects remaining
10/02/2018 04:43:47 [INFO] Creating directory partition: CN=Configuration,DC=nxlog,DC=org; 1268 objects remaining
nxlog.conf
<Input dcpromo>
    Module  im_file
    File    "%systemroot%\debug\DCPROMO.log"
    File    "%systemroot%\debug\DCPROMO.*.log"
    <Exec>
        if $raw_event =~ /^(\S+ \S+) \[(\S+)\] (.+)$/
        {
            $EventTime = parsedate($1);
            $Severity = $2;
            $Message = $3;
        }
    </Exec>
</Input>
Disclaimer

While we endeavor to keep the information in this topic up to date and correct, NXLog makes no representations or warranties of any kind, express or implied about the completeness, accuracy, reliability, suitability, or availability of the content represented here.

Last revision: 05 January 2019