which then is indexed by splunk.
(this saves having to put out universal forwarders or other things on our Domain Controllers)
so AD is tracking changes with eventlogs 5136
it also tracks changes like dnsnode updates etc.
as we only want the user object changes (at the moment)
and exclude certain eventdata
Using a custom view to pull the 5136 events from remove domain controllers
<querylist> <query Id="0" Path="Security"> <select Path="Security"> *[System[(EventID=5136)]] and *[EventData[Data[@Name='ObjectClass'] and (Data='user')]] </Select> <suppress Path="Security"> *[EventData[Data[@Name='AttributeLDAPDisplayName'] and (Data='userCertificate')]] </Suppress> </Query> </QueryList>
was getting locale errors with eventlogs so had to set system language to english(united states)
good link for info about Auditing AD:
http://blogs.technet.com/b/askpfeplat/archive/2012/04/22/who-moved-the-ad-cheese.aspx
No comments:
Post a Comment