In our first installment, we set up monitoring of Active Directory by using the built-in auditing capabilities that Windows provides. Now that we are tracking every change that occurs within the Active Directory database and infrastructure, we need to look at the results and get a handle on how we can view the information that is being tracked.
All of the monitoring occurs in the security log, which you can see in the Event Viewer. Figure 1 illustrates the resulting security log for a domain controller that is monitoring changes to Active Directory.
Figure 1. Security Log in Event Viewer
As you can see in Figure 1, there are over 180,000 events in this single log. Consider that you have 10, 20 or even 50 domain controllers that are generating logs this size. Depending on the activity that you have in your domain for creating, modifying and deleting objects, these logs can not only get rather large, but can also produce many logs in a single day.
The maximum log size for the security log is 4 GB. Unfortunately, Microsoft recommends that the log should not be over 300 MB. If you choose to reduce the log size to 300 MB, you will most likely end up with 5 to 10 archived logs each day, per domain controller.
To consolidate these logs, you really have two choices without acquiring a third-party product (which I would highly recommend!). Option one would be to import each of the archived logs into a single Event Viewer console so you can run filters on them to find the information you are looking for. This would be a very tedious task because logs are being archived all the time, and you would need to import new logs constantly. Option two would be to use the Event Log Forwarding option that Microsoft provides by using Subscriptions. This is a constant gathering of specified event IDs from all of the domain controllers, consolidating them into a single log on a single computer.
Now that we have a single computer with our logs, we need to find the information that we are looking for. Unfortunately, we cannot run queries to find information that is contained within the events; we must work at the event and event ID level. We can put the logs through filters, which allows us to just view a subset of the log, focusing on event IDs, computers that generated the logs, users that generated the logs, etc. We cannot filter based on just words within the events. (There are products that do this, and I suggest you investigate these products because they are very useful!) Another option is to set up alerts for when certain event IDs are generated. You can either set up a message to appear or even an email to be sent out. However, this can create many false positives because the alerting is not granular. (Again, a third-party product can do this with great ease, allowing you to get an email when key objects in Active Directory are changed!)
As you can see, after you generate the logs, you have some control over finding the information you need. There are limitations — some would say great limitations — but at least you have the information! Obtaining a third-party product to overcome these limitations is highly recommended because these third-party products allow you to overcome the severe limitations that are embedded in the Microsoft solution.
Derek Melber is the technical evangelist for ManageEngine, a division of Zoho Corporation. As one of only a handful of Microsoft Group Policy MVPs, Derek helps Active Directory administrators, auditors and security professionals understand the finer points of how to manage, audit, recover and solve issues that occur in Active Directory and Group Policy. He educates IT professionals worldwide on Active Directory, Group Policy and Security and has authored over 15 books on Windows security and management. He’s famous for his video shorts in which he offers quick, practical solutions for Active Directory management.
For more information on ManageEngine, please visit http://www.manageengine.com/; follow the company blog at http://blogs.manageengine.com/; on Facebook at http://www.facebook.com/ManageEngine and on Twitter at @ManageEngine.