locked
Verify Windows Event Forwarding - ATA 1.9 RRS feed

  • Question

  • Hello,

    We have a fresh ATA 1.9 installation. I also configured Event Forwarding from all DCs to one of the Gateways. I see the events in the Forwarded Events log.

    I also found in the FAQ how to verify if this is working (https://docs.microsoft.com/en-us/advanced-threat-analytics/ata-technical-faq#how-do-i-verify-windows-event-forwarding).

    But I think this is not working or the query is wrong for 1.9.

    When I start the MongoDB shell and enter show collections I don´t see anything starting with "Ntlm".

    Can anyone please tell me what´s wrong here? Thanks a lot for your help!

    brgds Andreas

    Sunday, April 22, 2018 10:13 PM

All replies

  • Any related errors in the Gateway's log or in the Center?
    Monday, April 23, 2018 7:52 AM
  • Nothing abviously - and to be honest, I really don´t know what to look for.

    In the Microsoft.Tri.Gateway.txt Log on the Gateway where I forward the events to I found this:

      "WindowsEventLogReaderConfiguration": {

        "IsEnabled": true,
        "IsForwardedEventReaderEnabled": true,
        "IsLocalEventReaderEnabled": false,
        "UpdateWindowsEventLogReaderBookmarksConfiguration": {
          "Interval": "00:00:30",
          "IsEnabled": true
        }

    This would mean that the ForwardedEventReader is enabled. Fine - but how do I know that ATA really reads them?

    When you open the link from my first post they posted a short script to query the database. But this returns nothing. Is this because the script is wrong, or is there no data?

    brgds Andreas

    Monday, April 23, 2018 8:47 AM
  • The script should have returned something.

    https://docs.microsoft.com/en-us/advanced-threat-analytics/troubleshooting-ata-using-logs

    Look in ExceptionStatistics logs both in the GW & Center as mentioned in above article.

    An errors there that seem to correlate with Events? 

    Monday, April 23, 2018 8:23 PM
  • Sorry - no Error, nothing...

    In the meantime I copied MongoDB Compass to the Server and opened the database. In the SystemProfile Collection I see all my Servers. When I go to the Server which should collect the logs I have a "WindowsEventLogReaderLog" Array which I can expand and see Array 0 and "ForwardedEvents". All other Gateways don´t have this entry.

    And I also don´t see an "NtlmEvent_*" Collection in the database.

    So why the hell is this Gateway NOT reading the Forwarded Events Log?!? Does it Need any permissions on the log? I only found some information if log forwarding is not working. But this is working...

    brgds Andreas


    • Edited by Deas Monday, April 23, 2018 9:20 PM
    Monday, April 23, 2018 9:17 PM
  • It does need permissions to read the log but this should have been taken care of automatically during deployment time.

    Also, if there were not permissions I would expect some errors.

    I strongly advise to open a case with support on this one as we might need to collect much more information then we can over forum posts to troubleshoot this one.

    Tuesday, April 24, 2018 8:13 AM
  • I opened a case now - let´s see what the outcome will be...

    brgds Andreas

    Tuesday, April 24, 2018 6:59 PM
  • OK, I just confirmed there was a code change in 1.9, which means you won't see the NtlmEvent_* collections in the DB any more. the best way to confirm is to see logical activities created from these events in the UI.

    We will update the docs.


    Sunday, May 6, 2018 8:08 PM
  • Thank´s for the info!

    What are those "logical activities"? Please give some advice how to verify that this is working. What should we see if this is working? What do we need to do to see that it is working?

    brgds Andreas

    Tuesday, May 8, 2018 12:54 PM
  • You can read about it here:

    https://docs.microsoft.com/en-us/advanced-threat-analytics/entity-profiles

    If events are indicating authentications, you should be able to see them as activities.

    Tuesday, May 8, 2018 1:02 PM
  • OK - but this does say nothing about NTLM...

    When I look at my own profile and I see "Credentials validated from xxx using NTLM" - does this automatically mean that this was gathered by event forwarding?!? Or could this information also come from the miror port?

    Sorry - the profile does not tell me if the information shown is from the mirror port or event forwarding...

    brgds Andreas

    Tuesday, May 8, 2018 2:10 PM
  • You have a point, I guess it's not that easy this way.

    Here is another way...

    use perfmon.exe on the Center machine.

    Under the "Microsoft ATA Center" category, select the counter "EntityReceiver Event Activities/Sec"

    That will show you how many events per second the center is reading.

    Tuesday, May 8, 2018 8:03 PM
  • This looks better - i got a graph. If this really means that I receive NTLM events from eventlog forwarding I am happy! :)

    Thanks a lot for Your help!

    brgds Andreas

    Wednesday, May 9, 2018 5:51 AM