none
Active Directory central logging, visualizing, alerting

    Question

  • Hi

    has anyone of you set up a central logging for Active Directory Events? 

    I would like to get an overview of whats going on in the AD, draw nice graphs and provide the Service Desk access to analyze why accounts get locked. 

    The way I would like to do it is to send Windows Security Events (based on filters, like event id or type) to a central server. From there I would like to be able to define alerts (user account got locked, inform colleagues via mail about that, something like that). The central server should also provide web access where colleagues can search for certain events. And it should also be able to draw graphs (like logon count, wrong password count and so on).

    I did some research and found some solutions.

    Solarwinds http://www.solarwinds.com/free-tools/kiwi-free-syslog-server

    The problem with that, it is pretty expensive and is lacking the graph functionality.

    Kibana (https://www.elastic.co/de/products/kibana)

    Looks like it is pretty complex to set up.

    I would like to hear your opinion about it. Have you done something like that before and can recommend something?

    Kind regards

    André 

    Tuesday, April 4, 2017 9:26 AM

Answers

  • We use Splunk.  Great data and search functionality.  We do not have any graphing functionality, but we set up alerts for when events occur (Lock, Creation, Group Modification). Expensive.

    We have tested ManageEngine AD Audit Plus.  It is simple to use and setup.  The information seems accurate from what I am seeing and the dashboard is easy to navigate.

    Tuesday, April 4, 2017 12:30 PM
  • This question is so general and it can be addressed using variety of answers. Since I do not rely on third party applications for tasks which can be done using programming and PowerShell, I try to represent my opinions in a general way and avoid naming third party applications which I believe will make you more confuse.

    Surely you can start working on your own application which can be implemented using C# or ASP or other methods but the common key point among them is that they should understand Active Directory and LDAP. Although I have to tell you, creating a solution in order to monitor everything in Active Directory is near to impossible. Simply because you can not easily setup a monitoring solution to cover DFS replication, AD Replication and so on. These are some complex concepts of Active Directory which needs to be checked up regularly and heavy solutions like SCOM can really do the job perfectly.

    Talking about graphs, I should say that technically it is not possible to draw graphs based on event logs. If your goal is to be able to draw graphs, you definitely need a DB. Because graphs needs to have current and previous state of an entity in order to be able to draw. 

    What you want I believe is a dashboard which shows the number of users, lockedout users, password never expire users and so on. These live results do not have dependency on Event Logs, because you can simply query them and show them right after. If this is what you want, you are not far to reach it if you know PowerShell and ASP. Otherwise I suggest you to start leaning them and then eventually you will be able to write what so ever tool and dashboard you like.


    Mahdi Tehrani | | www.mahditehrani.ir
    Make sure to download my free PowerShell scripts:

    Tuesday, April 4, 2017 1:40 PM
    Moderator

All replies

  • We use Splunk.  Great data and search functionality.  We do not have any graphing functionality, but we set up alerts for when events occur (Lock, Creation, Group Modification). Expensive.

    We have tested ManageEngine AD Audit Plus.  It is simple to use and setup.  The information seems accurate from what I am seeing and the dashboard is easy to navigate.

    Tuesday, April 4, 2017 12:30 PM
  • This question is so general and it can be addressed using variety of answers. Since I do not rely on third party applications for tasks which can be done using programming and PowerShell, I try to represent my opinions in a general way and avoid naming third party applications which I believe will make you more confuse.

    Surely you can start working on your own application which can be implemented using C# or ASP or other methods but the common key point among them is that they should understand Active Directory and LDAP. Although I have to tell you, creating a solution in order to monitor everything in Active Directory is near to impossible. Simply because you can not easily setup a monitoring solution to cover DFS replication, AD Replication and so on. These are some complex concepts of Active Directory which needs to be checked up regularly and heavy solutions like SCOM can really do the job perfectly.

    Talking about graphs, I should say that technically it is not possible to draw graphs based on event logs. If your goal is to be able to draw graphs, you definitely need a DB. Because graphs needs to have current and previous state of an entity in order to be able to draw. 

    What you want I believe is a dashboard which shows the number of users, lockedout users, password never expire users and so on. These live results do not have dependency on Event Logs, because you can simply query them and show them right after. If this is what you want, you are not far to reach it if you know PowerShell and ASP. Otherwise I suggest you to start leaning them and then eventually you will be able to write what so ever tool and dashboard you like.


    Mahdi Tehrani | | www.mahditehrani.ir
    Make sure to download my free PowerShell scripts:

    Tuesday, April 4, 2017 1:40 PM
    Moderator