If Microsoft Active Directory is used as the source of information, you need:
Name
|
Description
|
---|
Step 1. Configure the UserID agent settings for monitor Microsoft AD.
|
The UserID agent parameters were discussed earlier.
|
Step 3. Configure the event source.
|
Configure Microsoft Active Directory as the source. See below for more information on the source settings.
|
When using AD servers as event sources, UserGate performs WMI queries to search for successful logon events (event ID 4624), Kerberos events (event numbers: 4768, 4769, 4770) and group membership events (event ID 4627). The frequency of the queries execution is defined by the UserID agent settings (Polling interval parameter). The found events are displayed on the Logs and reports, under Logs → Endpoint devices → Events.
When adding an event source of Microsoft Active Directory type, you need to specify the following:
Name
|
Description
|
---|
Enabled
|
Enable/disable receiving logs from the source.
|
Name
|
The source name.
|
Description
|
An optional description of the source.
|
Server address
|
Microsoft Active Directory address.
|
Protocol
|
AD access protocol (WMI).
|
Name
|
The username for connecting to AD.
|
Logs -> Custom Log Normalization and fill in the following fields in the window that opens:
Name
|
Description
|
---|
Enabled
|
Enable/disable custom log normalization rule.
|
Name
|
Name of the custom log normalization rule.
|
Description
|
Description of the custom log normalization rule.
|
Category
|
Select the category (type) of the logs to which this rule is applied:
|
Data column
|
Select the column the data will be extracted from.
|
Regular Expression
|
A regular expression string with group names matching the columns to which the values will be written.
|
Example of a rule that processes syslog category logs, extracts username, ip and port, and writes these values into the corresponding fields in the SIEM database:
|