Skip to main content
Sumo Logic

Collect Active Directory Log Files

Before you can install the Active Directory App, you must configure Active Directory log collection.

Windows Active Directory (AD) is a directory service developed by Microsoft that stores information about various objects on a network.

The Sumo Application for Active Directory analyzes, then graphically displays this information to users and network administrators, including information about domain controllers, forest, site, users, groups, computers and organizational units. Sumo Logic allows you to augment or couple regular Windows Events with this data to get more contextual insights from the logs. For example, by augmenting the events based on the domain name, you can build searches specific to a particular AD site or track activities to users under a specific Organizational Unit.

Log types

Active Directory diagnostic log files are described in more detail on Microsoft TechNet.

Prerequisites

To begin collecting Active Directory logs, first:

  • Verify the Active Directory module
  • Download Sumo Logic scripts

Verify Active Directory module

Before proceeding, verify that the Active Directory module is available. The Active Directory module is supported on Windows 7 and Windows 2008 Server (R2 and later) if Remote Server Administration Tools (RSAT) are installed. You'll find more information at Microsoft TechNet.

To verify that Active Directory Module is available

  1. Choose Start > Administrative Tools.
  2. Look for Active Directory Module for Windows PowerShell.

  1. If the module isn't installed, install RSAT as described on Microsoft TechNet.

Deploy Sumo scripts

In order to collect files, download the following scripts:

These scripts should be deployed on a machine that is part of the domain where the log files exist. After deploying the scripts, you'll need to configure a script source on Sumo Logic for domainCollector.ps1 and another script source for adObjectCollector.ps1.

To deploy the scripts

  1. Download the scripts to a folder, for example C:\PSScripts.
  2. Edit the scripts so that SCRIPTPATH matches the path to the folder.

Testing the scripts is optional, but recommended.

To manually test the scripts

  1. Open a command line interface.
  2. Run domainCollector and adObjectCollector, using the path where the scripts were installed.

powershell.exe -ExecutionPolicy Bypass -InputFormat None -File c:\PSScripts\domainCollector.ps1 

powershell.exe -ExecutionPolicy Bypass -InputFormat None -File c:\PSScripts\adObjectCollector.ps1

If the setup was successful, Active Directory domain and object information will be collected and the scripts will print results to the screen:

Configure a collector

Configure an Installed Collector.

Make sure the collector is installed on a machine that belongs to the domain managed by Active Directory. You can install a single collector and use a remote source, but Sumo Logic recommends installing a collector on each of your domain controllers for performance.

Configure event log sources

If you have installed collectors on each domain controller, as recommended, configure a Local Windows Event Log Source on each one. Otherwise, configure a Remote Windows Event Log Source to collect events from each Active Directory server. For these Windows Event sources, set the source category to OS/Windows.

Configure script sources

Perform the configuration described below twice, to set up one script source for adObjectCollector.ps1 and one for domainCollector.ps1.

  1. In Sumo Logic, select Manage Data > Collection > Collection.
  2. Find the name of the installed collector to which you'd like to add a Source. Click Add... then choose Add Source from the pop-up menu.
  3. Select Script for the Source type.
    ad_app_powershell_domain.png
  4. Name. Enter DomainCollector or ADObjects, depending on which script you are configuring. Description is optional. 
  5. Source Host (optional). Enter the hostname or the IP address of the machine. The hostname is stored in a searchable field called _sourceHost. The hostname can be a maximum of 128 characters.
  6. Source Category. Enter a Source Category following the Best Practices that allows you to include both the logs from these scripts and the logs from your Windows Event logs from the Domain Controller(s). For example, DC/Windows/adObjects, DC/Windows/domainCollector, and DC/Windows/Event. This will allow you to specify a query like _sourceCategory=DC/Windows/* to bring in all AD-related logs.
  7. Frequency. Select a short time for testing (for example, every 5 minutes), then change it to a longer interval once you confirm it’s working.
  1. If you'd like to set a timeout for your script, select Specify a timeout for your command. If you don't need a timeout, or if you're running a script once daily, we recommend that you leave this option deselected. 
  2. Command. Select PowerShell Script.
  3. Script. Do one of the following:
    • If you have the script saved to a file location and you do not have restrictions on running scripts, choose Type a path to the script to execute and enter the path to the script. For example, c:\PSScripts\adObjectCollector.ps1 or  c:\PSScripts\domainCollector.ps1. (The script path you enter will depend on which script source you are currently configuring.)
    • If you have restrictions for running scripts, then select Type the script the execute. Enter the command executed during testing on your system. The command will be specific to the script you’re configuring:

      powershell.exe -ExecutionPolicy Bypass -InputFormat None -File c:\PSScripts\adObjectCollector.ps1

      powershell.exe -ExecutionPolicy Bypass -InputFormat None -File c:\PSScripts\domainCollector.ps1
       
  4. Working Directory: Enter the path where your scripts are located (c:\PSScripts\ in this example). 
    Active directory working directory example.png
  5. Click the icon next to Processing Rules to expand the dialog.
  6. Click Add Rule.
  7. Name. Enter a name for the processing rule (for example, domainCollector).
  8. Filter. Enter the following filters to exclude command outputs from being logged.
    .*domainCollector.ps1.*
    .*adObjectCollector.ps1.*
  9. Type: Select Exclude messages that match.
  10. Click Save to create the source. 

Sample Log Messages

Domain Controller

DomainController DName=="DC=local" DomainName=="local" Forest=="local" NetBIOSName=="LOCAL" ControllerHostName=="HOST1DC01.local" IP=="102.240.30.12" Site=="DC1"

AD Domain

UserMembership SearchBase=="DC=local" DistinguishedName=="NN=Service My-Service,OU=DC=local" Name=="My-Service" ObjectGUID=="c1234249-6401-40e7-18a8-289fbb2faf26" Parent=="DC=local"

Windows Event

instance of Win32_NTLogEvent
{
    Computer = "HOSTDC01";
    EventCode = 4634;
    EventIdentifier = 4634;
    Logfile = "Security";
    RecordNumber = 184879601;
    SourceName = "Microsoft-Windows-Security-Auditing";
    TimeGenerated = "20170213222816.000000-000";
    TimeWritten = "20170213222816.000000-000";
    Type = "Audit Success";
    EventType = 4;
    Category = 12545;
    CategoryString = "Logoff";
    Message = "An account was logged off.

Subject:
    Security ID:        HOST1DC01$ (S-1-5-21-3123024953-243645673-3382258605-1103)
    Account Name:        HOST1DC01$
    Account Domain:        Local
    Logon ID:        0x6C367A5

Logon Type:            3

This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.";
    InsertionStrings = {"S-1-5-21-3123024953-2436456723-3382258605-1103", "HOST1DC01$", "HOSTING", "0x6c488a5", "3"};
};

Query Sample

Directory Service Object Changes (from Active Directory App)

_sourceCategory=delete_test _sourceName=Security "Directory Service Changes" 
| parse "EventCode = *;" as event_id nodrop | parse "Computer = \"*\";" as host nodrop | parse "ComputerName = \"*\";" as host nodrop | parse regex "Message = \"(?<msg_summary>[^\r]+?)\r" nodrop | parse "CategoryString = \"*\";" as CategoryString nodrop | parse regex "Subcategory:\s+(?<subcategory>[^\r]+?)\r" nodrop
| parse regex "Logfile = \"Security\";[\s\S]+?Account Name:\s+(?<src_user>[^\r]+?)\r[\s\S]+?Account Domain:\s+(?<src_domain>[^\r]+?)\r" nodrop 
| parse regex "Logfile = \"Security\";[\s\S]+?Account Name:\s+(?<src_user>[^\r]+?)\r[\s\S]+?Account Domain:\s+(?<src_domain>[^\r]+?)\r[\s\S]+?Account Name:\s+(?<dest_user>[^\r]+?)\r[\s\S]+?Account Domain:\s+(?<dest_domain>[^\r]+?)(?:\r|\";)" nodrop
| parse regex "Directory Service:[\s\S]+?Name:\s+(?<directory_ServiceName>[^\r]+?)\r" nodrop | parse regex "Directory Service:[\s\S]+?Type:\s+(?<directory_ServiceType>[^\r]+?)\r" nodrop | parse "Object:\r\n\tDN:\t*\r\n\tGUID" as dest_ou nodrop
| fields msg_summary, categoryString, subcategory, event_id, src_user, src_domain, dest_user, dest_domain, host
| where categoryString="Directory Service Changes" or subcategory="Directory Service Changes"