Skip to content

Microsoft Active Directory

Forward Active Directory logs to a Syslog endpoint by consolidating logs using Windows Event Forwarding and forwarding them with a script or third-party tool.

Prerequisites

  • Windows Server with Active Directory Domain Services and Windows Event Forwarding configured.
  • Scripting environment or third-party Syslog forwarder installed on the Windows Server.
  • Syslog endpoint details: <SYSLOG_ENDPOINT>, <SYSLOG_PORT>.

Configuration Steps

1. Configure Windows Event Forwarding

  • On your domain controllers, enable Windows Event Forwarding to forward security-related logs (e.g., logon events, account management) to a single Windows Server. Microsoft provides guidance on setting up WEF.

2. Install a Syslog Forwarder on the Collector Server

  • Choose and install a third-party Syslog forwarder that is compatible with Windows, such as NXLog or Winlogbeat, on the server collecting forwarded events.

3. Configure the Syslog Forwarder

Adjust your Syslog forwarder's configuration to read from the Windows Event Log and forward events to your Syslog endpoint.

Example nxlog.conf snippet for NXLog:

<Extension syslog>
    Module      xm_syslog
</Extension>

<Input in>
    Module      im_msvistalog
    Query       <QueryList>\
                    <Query Id="0">\
                        <Select Path="Security">*</Select>\
                    </Query>\
                </QueryList>
</Input>

<Output out>
    Module      om_udp
    Host        <SYSLOG_ENDPOINT>
    Port        <SYSLOG_PORT>
    Exec        to_syslog_bsd();
</Output>

<Route 1>
    Path        in => out
</Route>

Replace <SYSLOG_ENDPOINT> and <SYSLOG_PORT> with your Syslog server details.

Start the Syslog Forwarder Service* Ensure the Syslog forwarder service (e.g., NXLog) is running on the collector server to begin forwarding logs to your Syslog endpoint.

Verify Log Forwarding Generate test AD events (e.g., user logon, account changes) and check your Syslog server to confirm receipt of these events.

After configuring the Syslog forwarder, please provide the following information to us to complete the configuration on our side:

Syslog Endpoint Details The IP address or hostname of the syslog server where the logs are being forwarded. Syslog Port: The port number configured on the syslog server (e.g., 514 for default syslog over UDP/TCP).

Log Source Details - Type of Log Data: Specific details about the types of logs being forwarded (e.g., security events, logon events, account management). - Log Data Format: The format of the logs being sent (e.g., JSON, plain text).

Syslog Forwarder Configuration - Syslog Forwarder Software: The name and version of the syslog forwarder being used (e.g., NXLog, Winlogbeat). - Configuration Snippet: The configuration details or script used to set up the syslog forwarder on the client’s server.

Please send the above details to our support team via an "Onboard Log source request in your SecurIST platform

Getting Help

If you encounter any issues or need assistance during this process, our support team is here to help. You can reach out to us through:

Support Portal: Submit a ticket via our support portal for detailed assistance. Documentation: Refer to our extensive documentation library for troubleshooting and additional guides.

By providing these details, we will be able to configure SecurIST to accept and process Bitdefender logs for your SIEM service.