Active Directory monitoring

[Nataliia]

Hi,

Could you tell, please, does Wazuh can comunicate via dcom? We need to monitor Active Directory, but without installing agent on Domain Controller. As Domain Controllers working on the Windows, I cannot use agentless monitoring which discribed at guide - https://documentation.wazuh.com/4.3/user-manual/capabilities/agentless-monitoring/index.html

Which solution can you provide for Active Directory monitoring?

[Jorge Eduardo Molas]

Hi Nataliia 
I will be working on your question. I'll get back shortly. 

[Nataliia]

Hi Jorge,

Do you have any updates for my case?

понеділок, 27 лютого 2023 р. о 20:35:37 UTC+2 Jorge Eduardo Molas пише:

[Jorge Eduardo Molas]

Hello Natalia, I am sorry for the delay in the response. I was trying to replicate a use case like the one suggested.
Unfortunately, it is not possible to use the agentless option for Windows.
Without the possibility of deploying Wazuh agents on the servers.
Wazuh has the ability to receive logs in Rsyslog format without the need to deploy a Wazuh agent on the host. This is a solution for systems where software such as firewalls and switches cannot be installed, although it can also be used for linux hosts that have Rsyslog integrated (ubuntu). Wazuh also supports receiving logs via Logstash, which can be installed on Windows, however, you should also install the agent.
There are solutions for Rsyslogs windows, but it is not a way tested by Wazuh for this OS.
I hope this information is helpful.

Regards!

[Nataliia]

Hello Jorge!

Thank you for information!

Could you please provide me information how to setup Rsyslog on Windows?

понеділок, 6 березня 2023 р. о 16:00:38 UTC+2 Jorge Eduardo Molas пише:

[Pablo Ariel Gonzalez]

Hi Nataliia,

You could send the events via syslog in Windows following Wazuh's documentation. If you have any more questions you can create a new thread for further discussion.

Thanks,