• State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 14 replies
  • Subscribers 34 subscribers
  • Views 6950 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Respectfully questioning components in the AppInsight for Active Directory template

sturdyerde

Can anyone, particularly from the SAM product team, help me understand a few questions about the AppInsight for Active Directory template?

  1. Why is the default configuration of this application template to monitor port 389 with no encryption? This should default to 636 or 3269 using SSL (TLS).
  2. Why is this polling domain controller event logs for event ID 4648 (a logon was attempted using explicit credentials), and why does the component have a critical threshold of 5?
    Speaking for my environment at least, it is expected to see many of these logged, which means that Active Directory is always marked as critical in SAM. (My current metric on one domain controller alone is 700!) Microsoft has a great KB article that describes this event ID. (4648(S) A logon was attempted using explicit credentials). In short, it doesn't seem like a useful metric unless it targets specific recommendations that the KB article describes.
  3. Again, can we please have the option to selectively disable components in AppInsight templates, or the option to duplicate and edit the dupe? (I do understand that for these AppInsights, allowing customers to edit them does probably make Solarwinds feel exposed to the "hey, why didn't this monitor what you told me it would monitor" line of questioning from deviant ops, but perhaps that could be somewhat mitigated with a disclaimer in conjunction with the dupe/edit option.)

Thoughts? Thanks!

Sam

  • 0

    Partially answered this, with regards to using global catalog port 3269: apparently global catalog queries do not return the exact same set of data that LDAP queries over 636 does. When testing 3269 w/SSL in my environment, authentication succeeded, but the application quickly alerted as down because it lacked information about the FSMO roles:

    The application Active Directory on dc01 (nnn.nnn.nnn.nnn) is now Down.

    Alerting Application Components:
    FSMO Role - Schema Master(Down)
    FSMO Role - Domain Naming Master(Down)
    FSMO Role - RID Master(Down)
    FSMO Role - Infrastructure Master(Down)
    FSMO Role - PDC Emulator(Down)
  • 0

    From past experience with hacking up the Appinsight templates the reason they don't allow people to disable individual components is usually because under the covers they are all tangled up in a web of scripted queries and such that causes issues where disabling one component inadvertently cripples a hand full of other components that you didn't intend to disable (if you feel brave the disable flag exists in the database for EVERY component, but I don't suggest testing it out in prod, it can get nasty). 

    Not to say that I don't think they couldn't at least just address this on the front end and give the end user the option to "disable" a component and just have it not show up in the GUI or be able to trigger any kinds of alerts and such. 

    To your question about how they determine the thresholds, I have long taken issue with the OOTB thresholds in lots of the templates so I feel your pain there.  What I will suggest is you might hit up ccousineau​ and serena​ to give them your feedback on those since last I heard they are still actively working on the next iteration of that template.  I pray you can impress upon them the importance of realistic thresholds in the template emoticons_happy.png

    SAM users - we need your help!

  • 0 in reply to mesverrum

    Hmmm, I wonder what ccousineau​ and serena​ would say to a sort of customer advisory board that could suggest realistic OOB thresholds and also offer input on what metrics to include in OOB templates? (The thought of a voting, forum, or wiki-styled input forum also crossed my mind, but that could get messy and off-topic too quickly, I fear.)

  • 0 in reply to sturdyerde

    sturdyerde  wrote:

    Hmmm, I wonder what ccousineau  and serena  would say to a sort of customer advisory board that could suggest realistic OOB thresholds and also offer input on what metrics to include in OOB templates? (The thought of a voting, forum, or wiki-styled input forum also crossed my mind, but that could get messy and off-topic too quickly, I fear.)

    +1 I want your feedback. Now, the question for me is - what's a scalable way to get this input? Polls? Forums? How would you like to get this data to me that wouldn't be a burden?

  • 0 in reply to serena

    serena  wrote:

    +1 I want your feedback. Now, the question for me is - what's a scalable way to get this input? Polls? Forums? How would you like to get this data to me that wouldn't be a burden?

    Yes, that type of input could definitely become a burden if not designed in a way to carefully receive and collate the input.

    Commenting in a thread would be a nightmare, unless...possibly...the list of participants was short enough to keep the conversation reasonable. Read: "too many cooks spoil the broth."

    Some form of a voting system could work, if the metrics are pre-populated. Again, potentially messy unless the voting firsts focuses on which metrics to track...THEN on what threshold to set for each accepted metric.

    Regardless of format, the product will be worthwhile as long as SW engineers remain so open to receiving feedback and suggestions for things like this. emoticons_happy.png

  • 0

    sturdyerde  wrote:

    Can anyone, particularly from the SAM product team, help me understand a few questions about the AppInsight for Active Directory template?

    1. Why is the default configuration of this application template to monitor port 389 with no encryption? This should default to 636 or 3269 using SSL (TLS).
    2. Why is this polling domain controller event logs for event ID 4648 (a logon was attempted using explicit credentials), and why does the component have a critical threshold of 5?
      Speaking for my environment at least, it is expected to see many of these logged, which means that Active Directory is always marked as critical in SAM. (My current metric on one domain controller alone is 700!) Microsoft has a great KB article that describes this event ID. (4648(S) A logon was attempted using explicit credentials). In short, it doesn't seem like a useful metric unless it targets specific recommendations that the KB article describes.
    3. Again, can we please have the option to selectively disable components in AppInsight templates, or the option to duplicate and edit the dupe? (I do understand that for these AppInsights, allowing customers to edit them does probably make Solarwinds feel exposed to the "hey, why didn't this monitor what you told me it would monitor" line of questioning from deviant ops, but perhaps that could be somewhat mitigated with a disclaimer in conjunction with the dupe/edit option.)

    Thoughts? Thanks!

    Sam

    Sam,

    I discussed this with the team who built this AppInsight feature originally and got some insight back from you.

    To your first point about the default configuration for monitoring, this is based on the fact that TLS is not by default set up on the AD environment, and requires action for the customer to do so. If someone new to Orion starts monitoring an AD environment without TLS set up, they would get nothing for those less savvy with SolarWinds would generate an immediate support ticket. I'd rather enable those folks who are trying out SAM with AppInsight to get some initial polled data.  The more advanced customer that has tuned Active Directory for TLS has the ability to enable this option in AAD and in that case can configure it to do so.

    For the second point about the behavior of that component, for every customer like yourself that considers those logon attempts as "normal" there are others that want to be notified immediately. In this case I think your suggested enhancement of - hey can I please customize the components is a very viable request to help with a use case just like the one you've described. I'll consider your well thought out feedback here a +1 to that feature request.

    Thanks for sharing your experience here, this will help me to make better decisions in the product going forward.

  • FormerMember
    0 FormerMember in reply to serena

    Just turned on AppInsight for Active Directory (quite by accident, since I merely did a discovery scan and added nodes).

    Event ID: 4648. “Attempted to logon using explicit credentials event for Active Directory on DC01”

    I am getting a "critical" status for application "Active Directory" which was cause for concern, and now of course I have a big fat red ball on my dashboards. emoticons_sad.png

    We have quite literally over 4,000 event ID 4648 in the hour since I enabled the discovered scan nodes. Randomly selecting some of the events, they are very ordinary and typical user logins. So this does not feel like a valid alert for our organization. I do not see a way to disable this alert, but keep monitoring Active Directory for other symptoms. I am a newbie. Any help appreciated.ccc

  • 0 in reply to FormerMember

    gperkins  wrote:

    Just turned on AppInsight for Active Directory (quite by accident, since I merely did a discovery scan and added nodes).

    Event ID: 4648. “Attempted to logon using explicit credentials event for Active Directory on DC01”

    I am getting a "critical" status for application "Active Directory" which was cause for concern, and now of course I have a big fat red ball on my dashboards.

    We have quite literally over 4,000 event ID 4648 in the hour since I enabled the discovered scan nodes. Randomly selecting some of the events, they are very ordinary and typical user logins. So this does not feel like a valid alert for our organization. I do not see a way to disable this alert, but keep monitoring Active Directory for other symptoms. I am a newbie. Any help appreciated.ccc

    Hi George,

    There's an existing feature request to exclude events matching a certain eventID  

    I'd appreciate it if you'd like to upvote that particular feature request.

  • FormerMember
    0 FormerMember in reply to FormerMember

    A work-around for this issue is to modify the warning and error thresholds for the specific event ID. For example, if you wish to exclude an event ID, instead change the threshold from the provided low number to an impossibly larger number.

    Procedure:

    1. SAM Settings
    2. Edit AppInsight for Active Directory
    3. Scroll down and open "Attempted to logon using explicit credentials event"
    4. Change Warning threshold from 1 to 5555555
    5. Change Error threshold from 5 to 9999999
    6. Change User notes to a comment
    7. Submit

    Screenshot:

    pastedImage_0.png

  • 0 in reply to FormerMember

    You can actually just blank out the thresholds as well

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.