Microsoft Active Directory (LDAP)¶

Overview¶

The Active Directory integration provides lists of user names along with domain, datasource, first seen and last seen details. It also allows to search across all flows for user names.

Configuring a non-admin user to query the Domain Controller Event Logs in Windows 2008, 2012, 2016, or 2019¶

1. Create a domain user for IPFIXify to use. Add the IPFIXify user to the Event Log Readers built-in group.

Enabling Logon/Logoff Audit policies on the domain controller¶

Modify the default domain policy for domain controllers and enable the following group policies:
1. Expand Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Logon/Logoff and then enable success and failure for Audit Logoff and Audit Logon.

The advanced audit policies require that another group policy override setting is enabled under: Computer Configuration -> Policies -> Windows Settings -> Local Policies -> Security Options -> Audit: Force audit policy subcategory settings -> Define this policy setting and set to Enable

Setting up IPFIXify on a Windows computer¶

Download and install the Visual C++ 2012 redistributable.
Make a c:\ipfixify directory
Download the ipfixify.exe binary https://github.com/plixer/ipfixify/tree/master/bin/Win64

To confirm the binary is working, from a command prompt run ipfixify.exe --version. The version should be 18.2.26 and the size of the file is 9,888KB.

Download a sample ipfixify.cfg config file https://github.com/plixer/ipfixify/tree/master/examples/SysMetrics

Update the ipfixify.cfg file to match your environment

Comment out the following settings:
;vitals=yes
;storageAvailability=yes
;processList=yes
;processListsCPU=yes
;netstatDetails=yes
;ifStatistics=yes
Add “chunking=1000”
chunking=1000
Enter the NetFlow collector’s IP and port:
collector=NetFlowIP:port
Enter the IP address of the domain controller. For each additional domain controller, add another member line:
member=DCip
Set this value to yes if the goal is to collect username data:
usernamesOnly=yes
chunking=1000

Configure the IPFIXify user credentials
1. Open a command prompt and navigate to the directory that contains ipfixify.exe.
2. Run the following command and enter the ipfixify user and password: ipfixify.exe --credentials ipfixify.cfg
From an Administrative command prompt, run the following command to verify that IPFIXify has all the permissions to poll the domain controller:

ipfixify.exe --sysmetrics --config C:\ipfixify\ipfixify.cfg -permtest IPofDC

If all the tests passed, set up IPFIXify to run as a service. In an administrative command prompt, execute the following command:

ipfixify.exe --install auto --name "Scrutinizer Username Collection" --config "C:\ipfixify\ipfixify.cfg" --sysmetrics

8. Configure the IPFIXify service to log on as the IPFIXify user.

Go to Start -> Run -> and type “services.msc”

Find the service named “IPFIXify: Scrutinizer Username Collection”, right click on it and select Properties.

Click the Log On tab, select This account:, enter the IPFIXify user and password, and then select Apply.

Click OK. A popup will say, the user has been granted the log on as a service right. It means that the user will not maintain the log on as a service permission across reboots. Permission can be granted as outlined in this Microsoft document https://technet.microsoft.com/en-us/library/cc794944(v=ws.10).aspx

Wait a few minutes. You should start seeing user names in Plixer Scrutinizer.

Example IPFIXify configuration¶

[options]
; The IP Address/Hostname and port of the IPFIX Collector(s) multiple
; collectors can be specified on additional lines
; collector=IP:PORT (e.g. 10.1.4.19:4739)
collector=10.1.4.188:4739
; When accessing remote machines, use the supplied credentials this is
; encoded. So execute the following command to manage it
; ipfixify.exe --credentials=<PATH/TO/CFG>
credentials=6e6ff0a30ff3d13d0f9a38a753f52f44283f9a7dfd928511dbaf2f7af1446e57981dc4628c038553
; Number of minutes between ping and WMI test of all members. The default
; is 60 minutes.
testinterval=5
; The number of seconds to try and ping a host during the process of verifying
; a member is reachable. If 0 is used, then the ping test is ignored.
pingtimeout=2
; The number of threads to gather data from the members who responded. If there
; is only a small list of members, then this can be a small number (e.g. 1 - 3).
; The more threads used, the more memory will be consumed by IPFIXify.
pollthreads=5
; If vitals is a true value, then CPU, Memory, and Number of processes running
; data is collected. To disable these statistics, comment out the following
; line.
vitals=yes
; If storageAvailability is a true value, then disk availability is collected.
; To disable these statistics, comment out the following line.
storageAvailability=yes
; If eventlogs is a true value, then System, Security, and Application
; Eventlogs are collected. To disable these statistics, comment out the
; following line.
eventlogs=yes
; usernamesOnly is used in conjunction with the eventlogs option.  If username
; integration with Scrutinizer is the only goal, then this line should be un-commented
usernamesOnly=yes
; If processLists is a true value, then running processes data is collected.
; To disable these statistics, comment out the following line.
;processLists = yes
; If processListCPU is a true value, then CPU per process data is collected.
; To disable these statistics, comment out the following line.
;processListsCPU = yes
; If netstatDetails is a true value, then netstat details are collected.
; To disable these statistics, comment out the following line.
;netstatDetails = yes
; The list below contains the current hosts being polled by the IPFIXify
; Agent. One host or IP Address per line. It is recommended to use IP
; Addresses in case there are DNS issues.
member=10.1.5.1
member=10.1.5.2
chunking=1000