Skip to main content
Sumo Logic

Collect Active Directory Log Files

Before you can install the Active Directory App, you must configure Active Directory log collection.

Windows Active Directory (AD) is a directory service developed by Microsoft that stores information about various objects on a network.

The Sumo Logic Application for Active Directory analyzes, then graphically displays this information to users and network administrators, including information about domain controllers, forest, site, users, groups, computers and organizational units. Sumo Logic allows you to augment or couple regular Windows Events with this data to get more contextual insights from the logs. For example, by augmenting the events based on the domain name, you can build searches specific to a particular AD site or track activities to users under a specific Organizational Unit.

Log types

Active Directory diagnostic log files are described in more detail on Microsoft TechNet.

Prerequisites

To begin collecting Active Directory logs, first:

  • Verify the Active Directory module
  • Download Sumo Logic scripts

Verify Active Directory module

Before proceeding, verify that the Active Directory module is available. The Active Directory module is supported on Windows 7 and Windows 2008 Server (R2 and later) if Remote Server Administration Tools (RSAT) are installed. You'll find more information at Microsoft TechNet.

To verify that Active Directory Module is available

  1. Choose Start > Administrative Tools.
  2. Look for Active Directory Module for Windows PowerShell.

  1. If the module isn't installed, install RSAT as described on Microsoft TechNet.

Deploy Sumo scripts

In order to collect files, download the following scripts:

These scripts should be deployed on a machine that is part of the domain where the log files exist. After deploying the scripts, you'll need to configure a Script Source on Sumo Logic for domainCollector.ps1 and another Script Source for adObjectCollector.ps1.

To deploy the scripts

  1. Download the scripts to a folder, for example "C:\PSScripts"
  2. Edit the scripts so that SCRIPTPATH matches the path to the folder.

Testing the scripts is optional, but recommended.

To manually test the scripts

  1. Open a command line interface.
  2. Run domainCollector and adObjectCollector, using the path where the scripts were installed.
powershell.exe -ExecutionPolicy Bypass -InputFormat None -File c:\PSScripts\domainCollector.ps1 
powershell.exe -ExecutionPolicy Bypass -InputFormat None -File c:\PSScripts\adObjectCollector.ps1

If the setup was successful, Active Directory domain and object information will be collected and the scripts will print results to the screen:

Configure a collector

Configure an Installed Collector.

Make sure the collector is installed on a machine that belongs to the domain managed by Active Directory. You can install a single collector and use a remote source, but Sumo Logic recommends installing a collector on each of your domain controllers for performance.

Configure event log sources

If you have installed collectors on each domain controller, as recommended, configure a Local Windows Event Log Source on each one. Otherwise, configure a Remote Windows Event Log Source to collect events from each Active Directory server. For these Windows Event sources, set the source category to OS/Windows.

Configure script sources

Perform the configuration described below twice, to set up one script source for adObjectCollector.ps1 and one for domainCollector.ps1.

To run a PowerShell script from within a script source, configure the collector to use the PowerShell command to run the script. You also need to supply some formatting options for the resulting script output.

  1. In Sumo Logic select Manage Data > Collection (Manage > Collection in the classic UI).
  2. Find the name of the installed Collector to which you'd like to add a Source. Click Add... then choose Add Source from the pop-up menu.
  3. Select Script for the Source type.
    ad_app_powershell_domain.png
  4. Name. Enter DomainCollector or ADObjects, depending on which script you are configuring. Description is optional. 
  5. For Source Host, enter the hostname or the IP address of the machine. The hostname is stored in a searchable field called _sourceHost. The hostname can be a maximum of 128 characters.
  6. For Source Category, enter any information you'd like to include in the metadata.
  7. For Frequency, select Every 15 Minutes
  1. If you'd like to set a timeout for your script, select Specify a timeout for your command. If you don't need a timeout, or if you're running a script once daily, we recommend that you leave this option deselected. 
  2. Command. Select Windows Script. 
  3. Script. Select Type the script to execute, and enter the command below that corresponds to the script you are configuring. 
powershell.exe -ExecutionPolicy Bypass -InputFormat None -File c:\PSScripts\domainCollector.ps1
powershell.exe -ExecutionPolicy Bypass -InputFormat None -File c:\PSScripts\adObjectCollector.ps1
  1. For Working Directory, enter a path that matches the value for Type the script to execute (c:\PSScripts\ in this example).
  2. Click the icon next to Processing Rules to expand the dialog.
  3. Click Add Rule.
  4. In the Name field, enter a name for the processing rule.
  5. In the Filter field, enter the following filter to exclude command outputs form being logged.
    .*domainController.ps1.*
  6. In the Type field, select Exclude messages that match.
  7. Click Save

Sample Log Messages

Domain Controller

DomainController DName=="DC=local" DomainName=="local" Forest=="local" NetBIOSName=="LOCAL" ControllerHostName=="HOST1DC01.local" IP=="102.240.30.12" Site=="DC1"

AD Domain

UserMembership SearchBase=="DC=local" DistinguishedName=="NN=Service My-Service,OU=DC=local" Name=="My-Service" ObjectGUID=="c1234249-6401-40e7-18a8-289fbb2faf26" Parent=="DC=local"

Windows Event

instance of Win32_NTLogEvent
{
    Computer = "HOSTDC01";
    EventCode = 4634;
    EventIdentifier = 4634;
    Logfile = "Security";
    RecordNumber = 184879601;
    SourceName = "Microsoft-Windows-Security-Auditing";
    TimeGenerated = "20170213222816.000000-000";
    TimeWritten = "20170213222816.000000-000";
    Type = "Audit Success";
    EventType = 4;
    Category = 12545;
    CategoryString = "Logoff";
    Message = "An account was logged off.

Subject:
    Security ID:        HOST1DC01$ (S-1-5-21-3123024953-243645673-3382258605-1103)
    Account Name:        HOST1DC01$
    Account Domain:        Local
    Logon ID:        0x6C367A5

Logon Type:            3

This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.";
    InsertionStrings = {"S-1-5-21-3123024953-2436456723-3382258605-1103", "HOST1DC01$", "HOSTING", "0x6c488a5", "3"};
};

Query Sample

Directory Service Object Changes (from Active Directory App)

_sourceCategory=delete_test _sourceName=Security "Directory Service Changes" 
| parse "EventCode = *;" as event_id nodrop | parse "Computer = \"*\";" as host nodrop | parse "ComputerName = \"*\";" as host nodrop | parse regex "Message = \"(?<msg_summary>[^\r]+?)\r" nodrop | parse "CategoryString = \"*\";" as CategoryString nodrop | parse regex "Subcategory:\s+(?<subcategory>[^\r]+?)\r" nodrop
| parse regex "Logfile = \"Security\";[\s\S]+?Account Name:\s+(?<src_user>[^\r]+?)\r[\s\S]+?Account Domain:\s+(?<src_domain>[^\r]+?)\r" nodrop 
| parse regex "Logfile = \"Security\";[\s\S]+?Account Name:\s+(?<src_user>[^\r]+?)\r[\s\S]+?Account Domain:\s+(?<src_domain>[^\r]+?)\r[\s\S]+?Account Name:\s+(?<dest_user>[^\r]+?)\r[\s\S]+?Account Domain:\s+(?<dest_domain>[^\r]+?)(?:\r|\";)" nodrop
| parse regex "Directory Service:[\s\S]+?Name:\s+(?<directory_ServiceName>[^\r]+?)\r" nodrop | parse regex "Directory Service:[\s\S]+?Type:\s+(?<directory_ServiceType>[^\r]+?)\r" nodrop | parse "Object:\r\n\tDN:\t*\r\n\tGUID" as dest_ou nodrop
| fields msg_summary, categoryString, subcategory, event_id, src_user, src_domain, dest_user, dest_domain, host
| where categoryString="Directory Service Changes" or subcategory="Directory Service Changes"