Active directory logon/logoff logs

481 views
Skip to first unread message

Uğur Aygün

unread,
May 24, 2023, 8:27:04 AM5/24/23
to Wazuh mailing list
Hi guys;

I need to check that which user connected to domain-joined computers. But i need to get that log from active directory. I see some logs but it does not give me the user names it only says $ad

https://techexpert.tips/windows/gpo-audit-logon-success-failure/  I tried enabling this but still cant get logs.

Any help would be appreciated

Thank in advance

Belen Valdivia

unread,
May 24, 2023, 2:49:00 PM5/24/23
to Wazuh mailing list

Hello,

To get user names for domain-joined computers, you can use the Wazuh Active Directory integration. This integration allows you to monitor and analyze Active Directory events, including logon events. You can configure the integration to extract the user name from the logon event and send an alert to Wazuh. From there, you can view the alert in the Wazuh dashboard or Kibana and take appropriate action.

Wazuh can process the logs from the following Azure AD activity reports, each one of them requiring a different query to be executed:

Report type                   Query
Directory audits            auditLogs/directoryaudits
Sign-ins                          auditLogs/signIns
Provisioning                  auditLogs/provisioning

To monitor Azure Active Directory effectively, I recommend referring to the official Wazuh documentation on Monitoring Azure Active Directory. This resource will provide you with detailed information and instructions on how to configure and use Wazuh for this purpose: Wazuh - Monitoring Azure Active Directory

The Wazuh "azure-logs" module requires dependencies to work as well as the right credentials to access the logs. Take a look at this link before proceeding:
Wazuh - Monitoring activity and services - Prerequisites

Check the azure-logs module reference for more information about how to use the different parameters available.

Also, This documentation here and here  gives you detailed information on how to monitor active directory logs

Regards!

Uğur Aygün

unread,
May 26, 2023, 2:53:32 AM5/26/23
to Belen Valdivia, Wazuh mailing list
Hello thank you for response actually i am not using azure we have on-premise active directory server.

I will try last 2 documents u send.

To clarify we can get logs from active directory but only logoff not logon. And logoff logs shows computer names.

I hope this will be more clear.

Thanks again.

'Belen Valdivia' via Wazuh mailing list <wa...@googlegroups.com>, 24 May 2023 Çar, 21:49 tarihinde şunu yazdı:
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/8ea824a5-0a62-4fd3-80ba-1b924880db9cn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages