Microsoft Active Directory over LDAP¶
When Microsoft Active Directory (AD) username reporting is enabled, Plixer Scrutinizer is able to retrieve domains, datasources, and first/last seen details for AD users and report the information in various web interface views and functions.
This integration relies on the Plixer AD Users utility to retrieve username data and forward it to Plixer Scrutinizer as IPFIX flows.
The Plixer AD Users utility reads a Windows event log file, continually parses authentication events, and sends event data to an IPFIX collector (Plixer Scrutinizer) for viewing in the Usernames table. If the AD Users service is stopped, the last sent event record ID is saved to last_recordID.txt. If this file exists, only events with records IDs greater than the number in the file will be sent to Scrutinizer. This feature helps avoid duplicate events being sent to the collector or a lapse in the authentication events processed should the program restart.
Configuring the servers¶
User Permissions¶
By default, the Plixer AD Users installer configures the program to run using a Local System account and this is the recommended configuration. However, the program can also be configured to run as a different user.
If not using a Local System account, the user who is configured to run the Plixer AD Users service needs to:
Be an administrator
Have permissions to query Domain Controller event logs by being added to the Event Log Readers built-in group
Have Log on as a service rights if running as a service
Domain Controller Audit Policies¶
To allow authentication events to be collected, logon/logoff audit policies on the domain controller must be enabled.
To do this, make the following changes to the domain controller’s default policies:
Expand Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Logon/Logoff.
Enable Success and Failure for Audit Logoff and Audit Logon.
The advanced audit policies require that another group policy override setting is enabled. To do this, follow these steps:
Expand Computer Configuration > Policies > Windows Settings > Local Policies > Security Options.
Select Audit: Force audit policy subcategory settings.
Tick Define this policy setting, and then tick Enable.
Event Forwarding¶
Running Plixer AD Users directly on the Active Directory server doesn’t require any extra configuration, other than ensuring that the config file points to Security.evtx.
To run Plixer AD Users on a separate event collection server joined to the same domain as the Active Directory server/Domain Controller, follow these steps:
On the Active Directory server(s), run the following command from an elevated-permissions command prompt:
C:\> winrm quickconfigOn the event collection server, run the following command from an elevated-permissions command prompt:
C:\> wecutil qcEstablish a subscription by performing the following on the event collection server:
As an Administrator, launch Event Viewer and click Subscriptions.
In the Actions pane, click Create Subscription.
Enter a subscription name.
Select Computers, and then enter your Active Directory server(s).
Go to Destination log > Forwarded Events, and then select Keep User Account as Machine Account.
Select Events, then select Security for Event logs, and then enter the following event IDs to include: 4624,4634,4647,6272-6274,6278,6279.
Setting up Plixer AD Users utility¶
Once the domain controller has been correctly configured, set up Plixer AD Users on a Windows computer as follows:
Contact Plixer Technical Support to download the Plixer AD Users product package.
Run
ad-users-installer.exe, and then go through the installation steps.
Important
Make sure that you select No to use recommended system account, and to tick Open config file to set the collector value.
Editing the config file¶
Name |
Description |
Default/Example |
chunking |
Required. This indicates the number of Windows authentication log events to collect and then send at a time. Set to 0 to send each event as it is parsed. |
1000 |
flush_wait_seconds |
Required. This indicates the time in seconds to periodically send any events in the buffer. Set to 0 if you want to use chunking value for sending events instead. |
60 |
path |
Required. This is the path to the Windows event log. Use ForwardedEvents.evtx if forwarding events, or Security.evtx if running directly on AD server. |
C:\Windows\System32\winevt\Logs\ForwardedEvents.evtx |
collector |
Required. This is where Plixer Scrutinizer collector sends flows to. The format must be IP:port. |
127.0.0.1:2055 |
exporter |
Not Required. The default value is local IP address with port 9996. To specify your own value, use the format IP:port. |
8.8.8.8:9996 |
log.name |
Not Required. The default is ad-users.log in executable directory (used if not running as a service). |
ad-users.log |
log.level |
Not Required. The default is debug (used if not running as a service). |
Info |
Starting the service¶
Open Services, and then right-click on Plixer AD Users.
Select Properties, and then in the General tab, set the startup type to Automatic (Delayed Start).
Go to the Recovery tab, and then set all three failure options to Restart the Service.
Click OK to save.
Verifying the setup¶
Checking log files¶
If running Plixer AD Users as a service, the Application log in Event Viewer will show the program’s log messages. At startup, there will be a few Info messages indicating everything was configured properly and the program has started event monitoring. After that, there will only be Error log messages if any errors occur or if the service is stopped. If the service restarts, the startup Info messages will be logged again.
If running Plixer AD Users in command prompt, use command-line argument run. Log messages will be written to the log file as well as the console (stdout).
C:\Windows\system32\>cd C:\ad-users C:\ad-users\>ad-users.exe run Detected 'run' program argument, not running as a service {"level":"info","time":"2023-04-14T00:12:12-04:00","message":"Successfully set config values: chunking=1; path=C:\\Windows\\System32\\winevt\\Logs\\Security.evtx; exporter=; collector=10.x.x.x:2055"} {"level":"info","time":"2023-04-14T00:12:12-04:00","message":"Successfully set collector: 10.x.x.x:2055 and exporter: 10.x.x.x:9996 endpoints"} {level":"info","time":"2023-04-14T00:12:13-04:00","message":"Successfully opened Windows events file: C:\\Windows\\System32\\winevt\\Logs\\Security.evtx"} {"level":"info","time":"2023-04-14T00:12:13-04:00","message":"Starting event monitoring"}
Checking Scrutinizer for IPFIX flows¶
In the Plixer Scrutinizer UI Usernames table, AD Users authentication events will start populating. Plixer AD Users sends the IP address (no IPv6 support currently), logon type (logon or logoff), domain, username, and machine name of the authentication event.
If usernames aren’t showing up as expected, double-check that you have enough exporters enabled for your Plixer Scrutinizer license.
The Plixer AD Users machine will count as an exporter since it is sending flows with username data to Plixer Scrutinizer.
You can see how many exporters you have licensed in the Plixer Scrutinizer UI under Admin > Settings > Licensing > Exporter Count and Enabled Exporters. You can also view specific exporters under Admin > Definitions > Manage Exporters.
Export spreading¶
The config values for chunking and flush_wait_seconds should mitigate any issues from too many events being exported at a time: chunking allows for a given number of events to be queued in the buffer then sent all at once, and flush_wait_seconds will flush the buffer periodically to avoid events sitting in the queue for too long when fewer authentication events are logged in a minute than the set chunking value.
However, if working with a Plixer Scrutinizer set up where too many Active Directory authentication events at a time is a concern, you can prevent Netflow export storms by enabling export spreading following the instructions here for your performance monitor configuration.