locked
Event forwarding RRS feed

  • Question

  • I have configured event forwarding from my DCs to the one DC that is currently running the lightweight gateway service.  I followed the instructions here https://docs.microsoft.com/en-us/advanced-threat-analytics/deploy-use/configure-event-collection.

    Event ID 4776 is being forwarded from the other DCs to the ForwardedEvents log however they do not appear in the DB when I run 

    Mongo ATA --eval "printjson(db.getCollectionNames())" | find /C "NtlmEvents"

    D:\ATA\Microsoft Advanced Threat Analytics\Center\MongoDB\bin>mongo ATA --eval "
    printjson(db.getCollectionNames())" | find /C "NtlmEvents"
    0

    D:\ATA\Microsoft Advanced Threat Analytics\Center\MongoDB\bin>

    Does this just take time or is something misconfigured?  The lightweight gateway was installed today.


    Wednesday, August 10, 2016 9:18 PM

Answers

  • I often use RoboMongo (GUI for MongoDB) to validate that everything works. First, I find the ID of the gateway I am interested in by running this query:

    db.getCollection('SystemProfile').find({_t: "GatewaySystemProfile"},{'NetbiosName':true})

    Then I filter received events by this specific GW (which is 572dc950393ec9156c6690fb in my case):

    db.getCollection('NtlmEvent_20160507075911').find({SourceGatewaySystemProfileId: ObjectId("572dc950393ec9156c6690fb")})

    But I agree that this is not a very comfortable way of checking whether the event collection really works. Moreover, it uses undocumented and version-specific access to DB.

    • Marked as answer by Gagexx Tuesday, August 23, 2016 5:33 PM
    Tuesday, August 23, 2016 1:40 PM

All replies


  • Have you enabled the "Windows Event Forwarding Collection" setting on that LGW through the ATA console?
    Monday, August 22, 2016 8:38 PM
  • Hello,

    This validation method is used for v1.5. Starting with ATA v1.6 this method is not relevant anymore.

    We are working to update our documentation with updated methods. Sorry for the inconvenience.

     Microsoft ATA Team.

    Tuesday, August 23, 2016 12:20 PM
  • I often use RoboMongo (GUI for MongoDB) to validate that everything works. First, I find the ID of the gateway I am interested in by running this query:

    db.getCollection('SystemProfile').find({_t: "GatewaySystemProfile"},{'NetbiosName':true})

    Then I filter received events by this specific GW (which is 572dc950393ec9156c6690fb in my case):

    db.getCollection('NtlmEvent_20160507075911').find({SourceGatewaySystemProfileId: ObjectId("572dc950393ec9156c6690fb")})

    But I agree that this is not a very comfortable way of checking whether the event collection really works. Moreover, it uses undocumented and version-specific access to DB.

    • Marked as answer by Gagexx Tuesday, August 23, 2016 5:33 PM
    Tuesday, August 23, 2016 1:40 PM
  • db.getCollection('NtlmEvent_20160801165953').find({SourceGatewaySystemProfileId: ObjectId("57ab5f5b1acfba09cc7d0a25")})

    Get's me all kinds of results.  I think I am good to go, thanks!

    Tuesday, August 23, 2016 5:34 PM