ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: How do consolidate Active Directory security audit logs from multiple DCs into one unified log?


Member

Posts: 5
Date: Jun 1, 2011
How do consolidate Active Directory security audit logs from multiple DCs into one unified log?
Permalink  
 


I would like to know if there is a way to obtain a single unified view of all the directory service and security events generated on all DCs? I'm looking for something that can reliably and securely automate the collection of all event logs and provide queriable views into the overall enterprise state of events across all DC event logs.



__________________

If winning isn't everything, why do they keep score? 



Member

Posts: 21
Date: Jun 23, 2012
RE: How do consolidate Active Directory security audit logs from multiple DCs into one unified log?
Permalink  
 


Hi John,

Have you looked at the Microsoft Audit Collection Service (MACS)? 

I believe it is designed to do just that, and I think its free as well. Other than MACS, a couple of vendors offer a few 3rd party solutions, but I'm not sure how good or expensive they are. We use MACS and are happy with it.

One thing we have learnt is that it is also very important to ensure that only those events that absolutely need to be audited are logged, because otherwise, over time, your logs can get full very quickly.

-G

 



__________________

Wherever you go and whatever you do, may the luck of the Irish be there with you.



Member

Posts: 5
Date: Feb 5, 2013
RE: How do consolidate Active Directory security audit logs from multiple DCs into one unified log?
Permalink  
 


Hi Geoffrey,

Thank you for your input. Yes, we're currently looking at various 3rd party Active Directory Auditing tools to help us fulfill this need. Fortunately there's quite a choice, and we're happy about that.

As I may have mentioned to you, one of the motivations for us was to try and reduce the number of IT admins who have elevated rights in our Active Directory so we figured that auditing was the way to go, because one of the benefits of auditing is that whenever someone performs an action, we know about it because there's a record in our audit logs.

I suspect we should narrow down on a good Active Directory Auditing solution in the next few weeks, and then go with one. In case it helps, we're looking at a solution from BlackBird, one from Netwrix, and one from some company called Manage Engine (this was the cheapest one of them all, thus the consideration). Let's see which one our management decides to proceed with.

Thanks for your help though bro.

John.



__________________

If winning isn't everything, why do they keep score? 



Member

Posts: 21
Date: Feb 12, 2013
RE: How do consolidate Active Directory security audit logs from multiple DCs into one unified log?
Permalink  
 


Hi John,

Hey, good luck with the evaluation process. It does take a long time to evaluate all the options and proceed with the one. Yeah, the ones you're looking at are the usual candidates - BlackBird Auditor, Quest Auditor, Netwrix Change Reporter and AD Audit Plus from Manage Engine.

We use the Microsoft Audit Collection Service are happy with it.

Amongst the ones listed above, I think BlackBird and Quest are generally reliable. NetWrix I don't know much about, but the one from Manage Engine, I'm not so sure of because I believe it is the cheapest one of them all, and as goes the adage - you get what you pay for .

Anyway, auditing is essential and you should be fine with one of these solutions in place.

As I indicated earlier, in order for auditing to be effective, it is important to try and ensure that only the most critical of events are being audited, otherwise your audit logs can fill up with volumes of data that are hard to comb through.

What we do is get an Active Directory Access Audit done once a fortnight, so we have a good idea of who can do what in our Active Directory to begin with, and based on that we ensure that only the most critical of events are being audited.

That way, because we know who has what access in our AD to begin with (courtesy AD Access Audits), there are very few surprises to be found in our audit logs. As a result, our reliance on auditing has decreases dramatically, and we mostly use it for record keeping. 

- Geoffrey.

 



__________________

Wherever you go and whatever you do, may the luck of the Irish be there with you.

Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me