Kaseya Community

Active Directory Auditing

  • Hi,

    We had an incident some time ago where someone logged on to the server and changed the logout policy to 2 minutes. Kaseya is installed on that unit. Many different companies have access to this network to do their support for their applications they offer to the site.

    I am trying to find a way to monitor AD changes to configurations and settings. For example : I would like to monitor a server and see who logs in when and what changes are made from that user. Basically, something like "Netwrix Auditor" , just for/within Kaseya. I always believed this was part of Kaseya, otherwise why do we pay so much money per month for this software ?

    I logged a support ticket and I was told this functionality is not available in Kaseya. I ask : Why Not ?! This is a fundamental feature which should not be missing from Kaseya. I mean the system should firstly be able to log everything and anything ?



    changed word "like" to for/within
    [edited by: d2000_07 at 1:12 AM (GMT -7) on Aug 4, 2016]
  • Kaseya can [outside of KNM] only monitor what Windows logs....and AD changes are not logged by default. If you turn on AD logging, you'll find changes are logged to the Security Event Log, which Kaseya can monitor.

    since Kaseya can read and monitor whatever Windows logs, the usual first port of call if you want to monitor something, is to ensure Windows is logging your desired activities in the first place......

    See technet.microsoft.com/.../cc731607(v=ws.10).aspx

    Pretty sure you can't log anything involving group policies however, so if the change was made there, you may be out of luck.

  • Hey guys,

    Take a look at the video I did on account auditing back in 2012. This will show how to turn on the right auditing bits that will generate the right event logs in Windows. From there, you can use Kaseya's monitoring subsystem to watch for these types of events and take action as required. This may include firing alerts, or possibly even remediating directly with agent procedures. Check out the video at:

    https://youtu.be/G3rxRCRyKcw

    Remember that one of the powers of the VSA platform is the flexibility in how we can watch events and counters. You could watch for AD changes, trigger an event that creates a ticket in BMS and then let you look at the issue within a small window of time.

    HTH.

  • Thanks Dana !

    Yes, this is exactly what I was looking for. Now, where can find the list of all relevant event ID's ? I am guessing there are thousands of event ID's.

    I will probably use Kaseya KNM to get monitoring, alerting, notification going on this. For now, I can add the 4733,4735,4737 and 4755 events as shown in your video.

  • http://www.morgantechspace.com/2013/08/active-directory-change-audit-events.html

    user add to local admin

    4733, 4735, 4737, 4755

    group membership changes

    4728, 4732 and 4756

    group scope and type change

    4764

    permission changes to GPOs

    4662

    changes to GPO settings

    5136

    user account creation

    4720

    user account enabled

    4722



    added link for event IDs
    [edited by: d2000_07 at 3:06 AM (GMT -7) on Aug 5, 2016]
  • I believe it's possible to integrate Netwrix Auditor and Kaseya. There is an option to write changes into windows log and Kaseya should be able to collect it, therefore you'll get pure changes without additional noise and with all details like who, when, where etc. 

  • Yes, this might be true. But for monitoring one or two machines, it's highly costly. The thing is you use and pay for two systems, when theoretically it's possible to use only Kaseya.

  • I've setup a DC and I am busy testing this now. I have trouble with the data these events contain. event 5136 doesn't show what is changed exactly from what to what or clearly who changed it.

    What is 9F50AB44-E3BE-4376-9CFA-7F9A3BD57651 ?

    What is S-1-5-21-3775114658-1322598845-2330766630-500 ?

    What is 117D3C90-0B24-4919-BA22-E913B9E0D402 ?

    Or where can I find out what these id's refer to ?

  • Hello d2000_07,

    I believe the S-1-**** reference is pointing to the registry information for a user account.