Collect Logs for the Active Directory JSON App
Learn how to configure log collection for the Active Directory JSON App.
This page provides instructions on configuring log collection for the Active Directory JSON App so that logs are collected from the Microsoft Windows Event Log and ingested into Sumo Logic.
Configure a Collector and a Source
Sample Log Messages
{"TimeCreated":"2020-10-12T08:00:02+000001500Z","EventID":"5137", "Task":14081,"Correlation":"","Keywords":"Audit Success","Channel":"Security", "Opcode":"Info","Security":"","Provider":{"Guid":"{54849625-5478-4994-a5ba-3e3b0328c30d}", "Name":"Microsoft-Windows-Security-Auditing"},"EventRecordID":5383143,"Execution":{"ThreadID":880,"ProcessID":776},"Version":0, "Computer":"EC2AMAZ-6D5CO5AB123.test.format","Level":"Information","EventData":{"DSType":"%%14676","SubjectUserSid":"S-1-5-21-916893464-2020-10-12T08:00:02-2020-10-12T08:00:02-500","OpCorrelationID": "{cdb02928-b7a6-4373-9b12-4e371f30c30d}","SubjectUserName":"Administrator","DSName":"test.format","AppCorrelationID":"-","ObjectGUID":"{56bf5011-b09d-43f5-bcd2-06a1d917c402}","ObjectDN":"CN=TomJerry,OU=Domain Controllers,DC=test,DC=format","SubjectLogonId":"0x73199","ObjectClass":"computer","SubjectDomainName":"TEST"},"Message":"A directory service object was created.\r\n\t\r\nSubject:\r\n\tSecurity ID:\t\tTEST\\Administrator\r\n\tAccount Name:\t\tAdministrator\r\n\tAccount Domain:\t\tTEST\r\n\tLogon ID:\t\t0x73199\r\n\t\r\nDirectory Service:\r\n\tName:\ttest.format\r\n\tType:\tActive Directory Domain Services\r\n\t\r\nObject:\r\n\tDN:\tCN=TomJerry,OU=Domain Controllers,DC=test,DC=format\r\n\tGUID:\t{56bf5011-b09d-43f5-bcd2-06a1d917c402}\r\n\tClass:\tcomputer\r\n\t\r\nOperation:\r\n\tCorrelation ID:\t{cdb02928-b7a6-4373-9b12-4e371f30c30d}\r\n\tApplication Correlation ID:\t-"}
Query Sample
The sample query is from Successes Vs Failures panel from Active Directory Service Failures dashboard.
_sourceCategory=Labs/windows-jsonformat | json "EventID", "Computer", "Keywords" as event_id, host, keywords nodrop | if (keywords = "Audit Failure", "Failure", "Success") as status | where host matches "*" | timeslice 1h | count as EventCount by status, _timeslice | transpose row _timeslice column status