Skip to main content
Sumo Logic

Collect Active Directory Log Files

Before you can install the Active Directory App, you must configure Active Directory log collection.

Windows Active Directory (AD) is a directory service developed by Microsoft that stores information about various objects on a network.

The Sumo Logic Application for Active Directory analyzes, then graphically displays this information to users and network administrators, including information about domain controllers, forest, site, users, groups, computers and organizational units. Sumo Logic allows you to augment or couple regular Windows Events with this data to get more contextual insights from the logs. For example, by augmenting the events based on the domain name, you can build searches specific to a particular AD site or track activities to users under a specific Organizational Unit.

Log Types

Active Directory diagnostic log files are described in more detail on Microsoft TechNet.

Prerequisites

To begin collecting Active Directory logs, first:

  • Verify the Active Directory module
  • Download Sumo Logic scripts

Verify Active Directory Module

Before proceeding, verify that the Active Directory module is available. The Active Directory module is supported on Windows 7 and Windows 2008 Server (R2 and later) if Remote Server Administration Tools (RSAT) are installed. You'll find more information at Microsoft TechNet.

To verify that Active Directory Module is available

  1. Choose Start > Administrative Tools.
  2. Look for Active Directory Module for Windows PowerShell.

  1. If the module isn't installed, install RSAT as described on Microsoft TechNet.

Deploy Sumo Logic scripts

In order to collect files, download the following scripts:

These scripts should be deployed on a machine that is part of the domain where the log files exist. After deploying the scripts, you'll need to configure a Script Source on Sumo Logic for domainCollector.ps1 and another Script Source for adObjectCollector.ps1.

To deploy the scripts

  1. Download the scripts to a folder, for example "C:\PSScripts"
  2. Edit the scripts so that SCRIPTPATH matches the path to the folder.

Testing the scripts is optional, but recommended.

To manually test the scripts

  1. Open a command line interface.
  2. Run domainCollector and adObjectCollector, using the path where the scripts were installed.
powershell.exe -ExecutionPolicy Bypass -InputFormat None -File c:\PSScripts\domainCollector.ps1 
powershell.exe -ExecutionPolicy Bypass -InputFormat None -File c:\PSScripts\adObjectCollector.ps1

If the setup was successful, Active Directory domain and object information will be collected and the scripts will print results to the screen:

Configure a Collector

Configure an Installed Collector.

Make sure the collector is installed on a machine that belongs to the domain managed by Active Directory. You can install a single collector and use a remote source, but Sumo Logic recommends installing a collector on each of your domain controllers for performance.

Configure Sources

If you have installed collectors on each domain controller, as recommended, configure a Local Windows Event Log Source on each one. Otherwise, configure a Remote Windows Event Log Source to collect events from each Active Directory server. For these Windows Event sources, set the source category to OS/Windows.

Next, configure a script source.

To run a PowerShell script from within a script source, configure the collector to use the PowerShell command to run the script. You also need to supply some formatting options for the resulting script output.

  1. In Sumo Logic select Manage Data > Collection (Manage > Collection in the classic UI).
  2. Find the name of the installed Collector to which you'd like to add a Source. Click Add... then choose Add Source from the pop-up menu.
  3. Select Script for the Source type.
    ad_app_powershell_domain.png
  4. Name. Enter DomainCollector or ADObjects. Description is optional. 
  5. For Source Host, enter the hostname or the IP address of the machine. The hostname is stored in a searchable field called _sourceHost. The hostname can be a maximum of 128 characters.
  6. For Source Category, enter any information you'd like to include in the metadata.
  7. For Frequency, select Every 15 Minutes
  1. If you'd like to set a timeout for your script, select Specify a timeout for your command. If you don't need a timeout, or if you're running a script once daily, we recommend that you leave this option deselected. 
  2. Command. Select Windows Script. 
  3. Script. Select Type the script to execute, and enter one of these:
powershell.exe -ExecutionPolicy Bypass -InputFormat None -File c:\PSScripts\domainCollector.ps1
powershell.exe -ExecutionPolicy Bypass -InputFormat None -File c:\PSScripts\adObjectCollector.ps1
  1. For Working Directory, enter a path that matches the value for Type the script to execute (c:\PSScripts\ in this example).
  2. Click Save

Sample Log Messages

Domain Controller

DomainController DName=="DC=local" DomainName=="local" Forest=="local" NetBIOSName=="LOCAL" ControllerHostName=="HOST1DC01.local" IP=="102.240.30.12" Site=="DC1"

AD Domain

UserMembership SearchBase=="DC=local" DistinguishedName=="NN=Service My-Service,OU=DC=local" Name=="My-Service" ObjectGUID=="c1234249-6401-40e7-18a8-289fbb2faf26" Parent=="DC=local"

Windows Event

instance of Win32_NTLogEvent
{
    Computer = "HOSTDC01";
    EventCode = 4634;
    EventIdentifier = 4634;
    Logfile = "Security";
    RecordNumber = 184879601;
    SourceName = "Microsoft-Windows-Security-Auditing";
    TimeGenerated = "20170213222816.000000-000";
    TimeWritten = "20170213222816.000000-000";
    Type = "Audit Success";
    EventType = 4;
    Category = 12545;
    CategoryString = "Logoff";
    Message = "An account was logged off.

Subject:
    Security ID:        HOST1DC01$ (S-1-5-21-3123024953-243645673-3382258605-1103)
    Account Name:        HOST1DC01$
    Account Domain:        Local
    Logon ID:        0x6C367A5

Logon Type:            3

This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.";
    InsertionStrings = {"S-1-5-21-3123024953-2436456723-3382258605-1103", "HOST1DC01$", "HOSTING", "0x6c488a5", "3"};
};

Query Sample

Directory Service Object Changes (from Active Directory App)

_sourceCategory=delete_test _sourceName=Security "Directory Service Changes" 
| parse "EventCode = *;" as event_id nodrop | parse "Computer = \"*\";" as host nodrop | parse "ComputerName = \"*\";" as host nodrop | parse regex "Message = \"(?<msg_summary>[^\r]+?)\r" nodrop | parse "CategoryString = \"*\";" as CategoryString nodrop | parse regex "Subcategory:\s+(?<subcategory>[^\r]+?)\r" nodrop
| parse regex "Logfile = \"Security\";[\s\S]+?Account Name:\s+(?<src_user>[^\r]+?)\r[\s\S]+?Account Domain:\s+(?<src_domain>[^\r]+?)\r" nodrop 
| parse regex "Logfile = \"Security\";[\s\S]+?Account Name:\s+(?<src_user>[^\r]+?)\r[\s\S]+?Account Domain:\s+(?<src_domain>[^\r]+?)\r[\s\S]+?Account Name:\s+(?<dest_user>[^\r]+?)\r[\s\S]+?Account Domain:\s+(?<dest_domain>[^\r]+?)(?:\r|\";)" nodrop
| parse regex "Directory Service:[\s\S]+?Name:\s+(?<directory_ServiceName>[^\r]+?)\r" nodrop | parse regex "Directory Service:[\s\S]+?Type:\s+(?<directory_ServiceType>[^\r]+?)\r" nodrop | parse "Object:\r\n\tDN:\t*\r\n\tGUID" as dest_ou nodrop
| fields msg_summary, categoryString, subcategory, event_id, src_user, src_domain, dest_user, dest_domain, host
| where categoryString="Directory Service Changes" or subcategory="Directory Service Changes"

Install the Sumo Logic App

Now that you have set up collection for Active Directory, install the Sumo Logic App for Active Directory to use the preconfigured searches and dashboards that provide visibility into your environment for real-time analysis of overall usage.

Sumo Logic recommends using the Sumo Logic App for Active Directory in combination with the Sumo Logic App for Windows.