cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Respectfully questioning components in the AppInsight for Active Directory template

Jump to solution

Can anyone, particularly from the SAM product team, help me understand a few questions about the AppInsight for Active Directory template?

  1. Why is the default configuration of this application template to monitor port 389 with no encryption? This should default to 636 or 3269 using SSL (TLS).
  2. Why is this polling domain controller event logs for event ID 4648 (a logon was attempted using explicit credentials), and why does the component have a critical threshold of 5?
    Speaking for my environment at least, it is expected to see many of these logged, which means that Active Directory is always marked as critical in SAM. (My current metric on one domain controller alone is 700!) Microsoft has a great KB article that describes this event ID. (4648(S) A logon was attempted using explicit credentials). In short, it doesn't seem like a useful metric unless it targets specific recommendations that the KB article describes.
  3. Again, can we please have the option to selectively disable components in AppInsight templates, or the option to duplicate and edit the dupe? (I do understand that for these AppInsights, allowing customers to edit them does probably make Solarwinds feel exposed to the "hey, why didn't this monitor what you told me it would monitor" line of questioning from deviant ops, but perhaps that could be somewhat mitigated with a disclaimer in conjunction with the dupe/edit option.)

Thoughts? Thanks!

Sam

1 Solution
Product Manager
Product Manager

sturdyerde  wrote:

Can anyone, particularly from the SAM product team, help me understand a few questions about the AppInsight for Active Directory template?

  1. Why is the default configuration of this application template to monitor port 389 with no encryption? This should default to 636 or 3269 using SSL (TLS).
  2. Why is this polling domain controller event logs for event ID 4648 (a logon was attempted using explicit credentials), and why does the component have a critical threshold of 5?
    Speaking for my environment at least, it is expected to see many of these logged, which means that Active Directory is always marked as critical in SAM. (My current metric on one domain controller alone is 700!) Microsoft has a great KB article that describes this event ID. (4648(S) A logon was attempted using explicit credentials). In short, it doesn't seem like a useful metric unless it targets specific recommendations that the KB article describes.
  3. Again, can we please have the option to selectively disable components in AppInsight templates, or the option to duplicate and edit the dupe? (I do understand that for these AppInsights, allowing customers to edit them does probably make Solarwinds feel exposed to the "hey, why didn't this monitor what you told me it would monitor" line of questioning from deviant ops, but perhaps that could be somewhat mitigated with a disclaimer in conjunction with the dupe/edit option.)

Thoughts? Thanks!

Sam

Sam,

I discussed this with the team who built this AppInsight feature originally and got some insight back from you.

To your first point about the default configuration for monitoring, this is based on the fact that TLS is not by default set up on the AD environment, and requires action for the customer to do so. If someone new to Orion starts monitoring an AD environment without TLS set up, they would get nothing for those less savvy with SolarWinds would generate an immediate support ticket. I'd rather enable those folks who are trying out SAM with AppInsight to get some initial polled data.  The more advanced customer that has tuned Active Directory for TLS has the ability to enable this option in AAD and in that case can configure it to do so.

For the second point about the behavior of that component, for every customer like yourself that considers those logon attempts as "normal" there are others that want to be notified immediately. In this case I think your suggested enhancement of - hey can I please customize the components is a very viable request to help with a use case just like the one you've described. I'll consider your well thought out feedback here a +1 to that feature request.

Thanks for sharing your experience here, this will help me to make better decisions in the product going forward.

View solution in original post

12 Replies

Guys! Thank you, gperkins​ and mesverrum​ for that tip. (Smacking myself for not trying that already.)

Hi,

We have a similar requirement where we need to Exclude this specific Event only for two Account Names. In a typical Windows Event Monitor SAM Template you do have the option to include/exclude certain keywords. The AD template does not have that option. Any suggestions?

I do see an option on the App Insight View where you can add/remove certain events from displaying. That is one option available. Maybe create a separate SAM Template Windows Event Viewer and display in that view. 

Thanks,

Arnab

0 Kudos
Product Manager
Product Manager

sturdyerde  wrote:

Can anyone, particularly from the SAM product team, help me understand a few questions about the AppInsight for Active Directory template?

  1. Why is the default configuration of this application template to monitor port 389 with no encryption? This should default to 636 or 3269 using SSL (TLS).
  2. Why is this polling domain controller event logs for event ID 4648 (a logon was attempted using explicit credentials), and why does the component have a critical threshold of 5?
    Speaking for my environment at least, it is expected to see many of these logged, which means that Active Directory is always marked as critical in SAM. (My current metric on one domain controller alone is 700!) Microsoft has a great KB article that describes this event ID. (4648(S) A logon was attempted using explicit credentials). In short, it doesn't seem like a useful metric unless it targets specific recommendations that the KB article describes.
  3. Again, can we please have the option to selectively disable components in AppInsight templates, or the option to duplicate and edit the dupe? (I do understand that for these AppInsights, allowing customers to edit them does probably make Solarwinds feel exposed to the "hey, why didn't this monitor what you told me it would monitor" line of questioning from deviant ops, but perhaps that could be somewhat mitigated with a disclaimer in conjunction with the dupe/edit option.)

Thoughts? Thanks!

Sam

Sam,

I discussed this with the team who built this AppInsight feature originally and got some insight back from you.

To your first point about the default configuration for monitoring, this is based on the fact that TLS is not by default set up on the AD environment, and requires action for the customer to do so. If someone new to Orion starts monitoring an AD environment without TLS set up, they would get nothing for those less savvy with SolarWinds would generate an immediate support ticket. I'd rather enable those folks who are trying out SAM with AppInsight to get some initial polled data.  The more advanced customer that has tuned Active Directory for TLS has the ability to enable this option in AAD and in that case can configure it to do so.

For the second point about the behavior of that component, for every customer like yourself that considers those logon attempts as "normal" there are others that want to be notified immediately. In this case I think your suggested enhancement of - hey can I please customize the components is a very viable request to help with a use case just like the one you've described. I'll consider your well thought out feedback here a +1 to that feature request.

Thanks for sharing your experience here, this will help me to make better decisions in the product going forward.

View solution in original post

Just turned on AppInsight for Active Directory (quite by accident, since I merely did a discovery scan and added nodes).

Event ID: 4648. “Attempted to logon using explicit credentials event for Active Directory on DC01”

I am getting a "critical" status for application "Active Directory" which was cause for concern, and now of course I have a big fat red ball on my dashboards.

We have quite literally over 4,000 event ID 4648 in the hour since I enabled the discovered scan nodes. Randomly selecting some of the events, they are very ordinary and typical user logins. So this does not feel like a valid alert for our organization. I do not see a way to disable this alert, but keep monitoring Active Directory for other symptoms. I am a newbie. Any help appreciated.ccc

A work-around for this issue is to modify the warning and error thresholds for the specific event ID. For example, if you wish to exclude an event ID, instead change the threshold from the provided low number to an impossibly larger number.

Procedure:

  1. SAM Settings
  2. Edit AppInsight for Active Directory
  3. Scroll down and open "Attempted to logon using explicit credentials event"
  4. Change Warning threshold from 1 to 5555555
  5. Change Error threshold from 5 to 9999999
  6. Change User notes to a comment
  7. Submit

Screenshot:

pastedImage_0.png

You can actually just blank out the thresholds as well

- Marc Netterfield, Github

gperkins  wrote:

Just turned on AppInsight for Active Directory (quite by accident, since I merely did a discovery scan and added nodes).

Event ID: 4648. “Attempted to logon using explicit credentials event for Active Directory on DC01”

I am getting a "critical" status for application "Active Directory" which was cause for concern, and now of course I have a big fat red ball on my dashboards.

We have quite literally over 4,000 event ID 4648 in the hour since I enabled the discovered scan nodes. Randomly selecting some of the events, they are very ordinary and typical user logins. So this does not feel like a valid alert for our organization. I do not see a way to disable this alert, but keep monitoring Active Directory for other symptoms. I am a newbie. Any help appreciated.ccc

Hi George,

There's an existing feature request to exclude events matching a certain eventID  

I'd appreciate it if you'd like to upvote that particular feature request.

From past experience with hacking up the Appinsight templates the reason they don't allow people to disable individual components is usually because under the covers they are all tangled up in a web of scripted queries and such that causes issues where disabling one component inadvertently cripples a hand full of other components that you didn't intend to disable (if you feel brave the disable flag exists in the database for EVERY component, but I don't suggest testing it out in prod, it can get nasty). 

Not to say that I don't think they couldn't at least just address this on the front end and give the end user the option to "disable" a component and just have it not show up in the GUI or be able to trigger any kinds of alerts and such. 

To your question about how they determine the thresholds, I have long taken issue with the OOTB thresholds in lots of the templates so I feel your pain there.  What I will suggest is you might hit up ccousineau​ and serena​ to give them your feedback on those since last I heard they are still actively working on the next iteration of that template.  I pray you can impress upon them the importance of realistic thresholds in the template

SAM users - we need your help!

- Marc Netterfield, Github

Hmmm, I wonder what ccousineau​ and serena​ would say to a sort of customer advisory board that could suggest realistic OOB thresholds and also offer input on what metrics to include in OOB templates? (The thought of a voting, forum, or wiki-styled input forum also crossed my mind, but that could get messy and off-topic too quickly, I fear.)

sturdyerde  wrote:

Hmmm, I wonder what ccousineau  and serena  would say to a sort of customer advisory board that could suggest realistic OOB thresholds and also offer input on what metrics to include in OOB templates? (The thought of a voting, forum, or wiki-styled input forum also crossed my mind, but that could get messy and off-topic too quickly, I fear.)

+1 I want your feedback. Now, the question for me is - what's a scalable way to get this input? Polls? Forums? How would you like to get this data to me that wouldn't be a burden?

0 Kudos

serena  wrote:

+1 I want your feedback. Now, the question for me is - what's a scalable way to get this input? Polls? Forums? How would you like to get this data to me that wouldn't be a burden?

Yes, that type of input could definitely become a burden if not designed in a way to carefully receive and collate the input.

Commenting in a thread would be a nightmare, unless...possibly...the list of participants was short enough to keep the conversation reasonable. Read: "too many cooks spoil the broth."

Some form of a voting system could work, if the metrics are pre-populated. Again, potentially messy unless the voting firsts focuses on which metrics to track...THEN on what threshold to set for each accepted metric.

Regardless of format, the product will be worthwhile as long as SW engineers remain so open to receiving feedback and suggestions for things like this.

Partially answered this, with regards to using global catalog port 3269: apparently global catalog queries do not return the exact same set of data that LDAP queries over 636 does. When testing 3269 w/SSL in my environment, authentication succeeded, but the application quickly alerted as down because it lacked information about the FSMO roles:

The application Active Directory on dc01 (nnn.nnn.nnn.nnn) is now Down.

Alerting Application Components:
FSMO Role - Schema Master(Down)
FSMO Role - Domain Naming Master(Down)
FSMO Role - RID Master(Down)
FSMO Role - Infrastructure Master(Down)
FSMO Role - PDC Emulator(Down)