Active Directory

Forward Active Directory logs to a Syslog endpoint by consolidating logs using Windows Event Forwarding and forwarding them with a script or third-party tool.

Prerequisites

• Windows Server with Active Directory Domain Services and Windows Event Forwarding configured.
• Scripting environment or third-party Syslog forwarder installed on the Windows Server.
• Syslog endpoint details: ``, ``.

Configuration Steps

1. Configure Windows Event Forwarding

• On your domain controllers, enable Windows Event Forwarding to forward security-related logs (e.g., logon events, account management) to a single Windows Server. Microsoft provides guidance on setting up WEF.

2. Install a Syslog Forwarder on the Collector Server

• Choose and install a third-party Syslog forwarder that is compatible with Windows, such as NXLog or Winlogbeat, on the server collecting forwarded events.

3. Configure the Syslog Forwarder

Adjust your Syslog forwarder's configuration to read from the Windows Event Log and forward events to your Syslog endpoint.

Example nxlog.conf snippet for NXLog:

<Extension syslog>
    Module      xm_syslog
</Extension>

<Input in>
    Module      im_msvistalog
    Query       <QueryList>\
                    <Query Id="0">\
                        <Select Path="Security">*</Select>\
                    </Query>\
                </QueryList>
</Input>

<Output out>
    Module      om_udp
    Host        <SYSLOG_ENDPOINT>
    Port        <SYSLOG_PORT>
    Exec        to_syslog_bsd();
</Output>

<Route 1>
    Path        in => out
</Route>

Replace <SYSLOG_ENDPOINT> and <SYSLOG_PORT> with your Syslog server details.

4. Start the Syslog Forwarder Service

Ensure the Syslog forwarder service (e.g., NXLog) is running on the collector server to begin forwarding logs to your Syslog endpoint.

5. Verify Log Forwarding

Generate test AD events (e.g., user logon, account changes) and check your Syslog server to confirm receipt of these events.