4 Replies Latest reply on Aug 26, 2016 6:27 PM by itco

    LEM getting alerts from some DCs but not others?

    itco

      I've been setting up alerts for changes made in the Domain Admin group and everything is going well - I have rules to send emails immediately, filters to view in the Monitor section real-time, and nDepth sending daily reports about it. What I noticed is that it's only picking up changes made on either the primary Domain Controller, or just 1 of our secondary DCs. The rules are not picking up changes made on the other secondary DCs we have.

       

      The LEM agents are installed on all DCs and they all seem to have the same Connectors applied. I did inherit this setup so I did not install the agents or set this up myself, but going through guides and THWACK I'm not able to figure this out.

        • Re: LEM getting alerts from some DCs but not others?
          jhynds

          Hey Itco...

           

          It sounds like the secondary DCs do not have the audit policies in place to create event logs for changes.

           

          Please see this KB for information on configuring the Audit Policy:

           

          To set Windows Audit Policy using Group Policy Object Editor:

          1. Expand Computer Configuration > Windows Settings > Security Settings > Local Policies and selectAudit Policy in the left pane.
          2. Select the policy you want to define in the right pane and click Properties on the Action menu.
          3. Select or clear Success and Failure according to the instructions below.

          Default Domain Controllers Policy

          Select Success and Failure for all policies except:

          • Audit object access
          • Audit privilege use

          For these, only select Failure.

          Default Domain Policy

          Default Domain Policy applies to all computers on your domain except your domain controllers.For this policy, select Success and Failure for the following:

          • Audit account logon events
          • Audit account management
          • Audit logon events
          • Audit policy change
          • Audit system events
            • Re: LEM getting alerts from some DCs but not others?
              itco

              Thanks for the response. The Windows Audit Policy is already set up using our GPO and I verified all the secondary DCs have the correct Audit Policy applied below. Now that I think about it, it could be our firewall.

               

               

              PolicySetting
              Audit account logon eventsSuccess
              Audit account managementSuccess, Failure
              Audit directory service accessFailure
              Audit logon eventsSuccess, Failure
              Audit object accessFailure
              Audit policy changeSuccess, Failure
              Audit privilege useNo auditing
              Audit process trackingSuccess, Failure
              Audit system eventsSuccess, Failure
            • Re: LEM getting alerts from some DCs but not others?
              nicole pauls

              Did you also double check the event log rotation policy? If the logs are full and it's not set to "overwrite as needed", you might not see new events - Set Log Retention Policy. What you want is most likely 'overwrite as needed' with a larger log file size, especially for DCs.

              1 of 1 people found this helpful
                • Re: LEM getting alerts from some DCs but not others?
                  itco

                  Thanks! This lead me to check the Event Viewer and I was noticing Security Group Management was not showing up when changes were made, and found out the GPO was not being applied correctly.

                   

                  I had to manually update the Local Policies individually and then they started working under Local Policy > Advanced Audit Polices > Account Management > Security Group Management: Success