2 Replies Latest reply on Jun 24, 2014 7:44 AM by curtisi

    LEM unable to see Security alert on Active Directory

    munwai

      Hi All,

       

      I was doing testing on LEM where i trying to obtain event from AD server such as simple login/logoff of domain user.

       

      After deploy the agent into AD server and perform some login/logoff and look at LEM nDepth, i do not see any result of user that perform login/logoff at all.

       

      However i try on other log management it capable retrieve those info from my AD server but not LEM.

       

      Anyone have such issue before?

       

      Thx

        • Re: LEM unable to see Security alert on Active Directory
          HolyGuacamole

          If you go to MANAGE > Nodes view of the web console, what is the status of the AD node? If you status is 'green', double click on the node and it should show you the list of enabled connectors. Security log should be one of the connectors that is enabled by default.

           

          Also, can you check the license status of your LEM appliance (Go to MANAGE > Appliances view in the web console)

          • Re: LEM unable to see Security alert on Active Directory
            curtisi

            Based on our Template Connector Profile for Windows Server 2008/2012 with the DC role, I'd suggest you set up these connectors at a minimum for your DCs:

             

            2014-06-24 06_38_39-SolarWinds Log and Event Manager Console.png

             

            The other part of this is going to be, what are you auditing?

             

            On your Domain Controllers, open a command prompt (and assuming you're on 2K8 or 2K12) enter this command:

             

            auditpol /get /category:*

             

            If it returns a lot of "No auditing" then your policy isn't set to generate events for a lot of things.  At the least, you probably want to look at:

             

            auditpol /get /category:"Account Logon"

            auditpol /get /category:"DS Access"

            auditpol /get /category:"Logon/Logoff"

             

            To see if you're even capturing the events you want to see in the LEM.