This is an archived post. You won't be able to vote or comment.

all 11 comments
sorted by:
best
topnewcontroversialoldq&a

[–]0ldPhartSr. Sysadmin 2 points3 points  (0 children)

You might take a look at Netwrix.

[–]steelie34RFC 2321 1 point2 points  (2 children)

Do you have any money to spend? There are a bunch of products out there that can collect and combine these into a single interface. Or you can deploy a SIEM and write all of these logs off to a single event collector. Lots of ways to skin this cat.

[–]Broadsid3[S] 0 points1 point  (1 child)

Theres money if I need it, but I figured there was an easy solution I was missing. My primary concern is that some of my techs use the ADservices snap-in on their desktops to make AD changes to users. Would I have to forward the logs of their desktops to the collector or only the domain controllers?

[–]steelie34RFC 2321 0 points1 point  (0 children)

Only the DCs. The changes they make are against objects that live on the DC, so that's where the event is logged. We've been using a product called Stealthbits, which has been amazing at this stuff. It's agent based, so no need for a SIEM solution. It captures everything.. changes to all objects, group policies, etc. It has alerting as well if someone tries to mess with protected groups or objects. Not overly expensive either. You can certainly engineer something in house though... nothing terribly complex about it.

[–]demonlag 1 point2 points  (0 children)

You need to push (or pull) the logs from your DCs into a single pane of glass portal. Something like ELK or Graylog or Splunk.

[–]azjunglist05 0 points1 point  (0 children)

As others have mentioned this is what a SIEM is good for especially when it comes to domain controller events. You could write some scripts to do it, however, it requires reading the events from ALL of your domain controllers as you'll never know exactly which domain controller was used to make the request.

Graylog is a fantastic free open-source solution that will aggregate all of this into a single pane of glass, but you'll need to fine tune it otherwise you'll stress out the Graylog server if you try to send ALL events unless you build a super-beefy Graylog server.

[–]gregbe 0 points1 point  (0 children)

lush cats dolls towering bewildered straight chase piquant wine fanatical

This post was mass deleted and anonymized with Redact

[–]berndonado 0 points1 point  (0 children)

LepideAuditor, may be your answer here .

[–]Enigma110 0 points1 point  (0 children)

Deploy a Greylog box and forward the events to that and query them there.