Active Directory Log Collection for Insights
Overview
Oort’s platform can analyze logs provided by customers to give insights into how users are accessing your applications. To provide Insights, logs must be shared with Oort for analysis. This document will walk you through the process of collecting the various logs needed.
Goal
This document aims to serve as a guide to help you gather logs from your organization. Ideal sources of logging are identity, authentication, access, SIEM, Syslog, or firewalls. The document will walk you through a collection of logs across systems discussed with the Oort team.
Audience
This document is meant for the CISO to share with their teams to collect logs that Oort will evaluate.
Next Steps
Once log streaming has been set up, Oort will analyze the logs to provide insights into your identities. This will include behavior, security, and any other insights that Oort can discover.
Log Collection
For Oort to provide insights with as high fidelity as possible, integration with your primary log source is recommended. We have discussed the following log source with your team:
- Microsoft Active Directory (AD DS)
Microsoft Active Directory
Active Directory has three primary log types that we will stream. Each activity log type contains different sets of information. All of the available logs can be seen through PowerShell with the command: Get-EventLog *
- Application – Active Directory Application-related logs events.
- Security – Active Directory Security-related log events.
- System – Active Directory System-related log events.
Requirements for Active Directory log streaming
To set up Active Directory log streaming to Oort, you will need the following:
- An administrator account on your domain controller.
- Installation of the winlogbeat client
-
- Winlogbeat client is used to stream logs to Oort’s Elastic instance running privately for your tenant.
- Download URL:
https://www.elastic.co/downloads/past-releases/winlogbeat-oss-7-10-0 - Windows 64 bit:
https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-oss-7.10.0-windows-x86_64.zip - Configuration file winlogbeat.yml provided by Oort
-
- This will be sent securely to you by Oort
Installing winlogbeat
Preparing for install
To prepare for the winlogbeat install, please download the following:
- 7.10.0 Winlogbeat OSS client
Install the winlogbeat client
-
Download the winlogbeat client from the URL above
-
Extract the zip archive
-
-
-
Browse for the folder C:\Program Files and click Extract
-
-
Browse to winlogbeat directory
-
-
Open explorer and navigate to:
C:\Program Files\winlogbeat-7.10.0-windows-x86_64
-
-
Replace the winlogbeat.yml file in the directory with the file provided by Oort.
-
-
Replace:
C:\Program Files\winlogbeat-7.10.0-windows-x86_64\winlogbeat.yml
With:
winlogbeat.yml provided by Oort
Starting the winlogbeat client
-
-
Open a PowerShell console
-
Enter the following in the PowerShell console
cd ‘C:\Program Files\winlogbeat-7.10.0-windows-x86_64\’
-
Enter the following in the PowerShell console to start winlogbeat
.\winlogbeat.exe test config -c .\winlogbeat.yml -e
You should see Config OK at the end of the output.
-
Install the winlogbeat service by entering the following in the PowerShell console
.\install-service-winlogbeat.ps1
-
Start the winlogbeat service by entering the following in the PowerShell console
Service-Start winlogbeat
-
Verify the winlogbeat service is running by entering the following in the PowerShell console
Get-Service winlogbeat
If you see the Status as Running, you are done.