Active Directory Integration#

Installation prerequisites#

Before you install and Event Log Forwarer (ELF) on one or more of your devices, please ensure that you have enabled audit of events.

On each of your Domain Controllers (DC) go to: Windows Administrative ToolsLocal Security Policy, and then Security SettingsLocal PoliciesAudit Policy, and there find Audit account logon events, Audit account sign-in events and Audit logon events.

Some settings may differ in name or be missing, based on your Windows version.

_images/ad-integration-1.png

Check both Success and Failure boxes.

_images/ad-integration-2.png

You may need to reload configured policy. To reload policy, please run following command:

gpupdate /force

Domain Controller Configuration#

DC Firewall on Windows#

Ensure that Event Log can be accessed through your Firewall configuration using WMI.

On each of your Domain Controllers go to: Windows Defender FirewallWindows Defender Firewall with Advanced Security on Local Computer Inbound RulesWindows Management Instrumentation (WMI-In)

ensure the rule allows connections

_images/ad-integration-3.png

set up a scope of allowed addresses that may connect. In this example a remote address 192.168.1.0/24 is allowed.

_images/ad-integration-4.png

Or, alternatively you can use command line:

netsh firewall set service RemoteAdmin enable

DC Firewall Rules#

Source

Direction

Destination

Port

Protoocol

Reason

DC

—>

local netwk

135

TCP/UDP

Microsoft RPC

DC

—>

local netwk

445

TCP

Microsoft MQ

DC

—>

local netwk

ICMP

Windows Service#

Please ensure that Windows Management Instrumentation service is running.

C:\Users\Administrator>sc query Winmgmt

SERVICE_NAME: Winmgmt
      TYPE               : 30  WIN32
      STATE              : 4  RUNNING
                              (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
      WIN32_EXIT_CODE    : 0  (0x0)
      SERVICE_EXIT_CODE  : 0  (0x0)
      CHECKPOINT         : 0x0
      WAIT_HINT          : 0x0
_images/ad-integration-5.png

WMI Remote Configuration#

If you chose to install ELF on another Windows PC, ensure that it can use WMI remotely. To enable Remote WMI for the account which will be used to connect to Domain Controller, go to: Computer ManagementServices and ApplicationsWMI Control Right click on it and selet Properties

_images/ad-integration-6.png

Select Security tab, then choose the Root namespace and hit Security button.

_images/ad-integration-7.png

Add user to the list or select a group it belongs to, check Remote Enable permission.

_images/ad-integration-8.png

Event Log Forwarder#

You can install ELF locally on the DC or on another Windows PC. ELF uses following connections:

ELF Firewall Rules#

Source

Direction

Destination

Port

Protoocol

Reason

ELF

—>

DC

135

TCP/UDP

ELF

—>

resolver

4222

TCP

NATS Message Queue

Install Instructions#

Install or Update:

msiexec /i "Whalebone.Event.Log.Forwarder.Installer.msi" ui="true"

Uninstall:

msiexec /x "Whalebone.Event.Log.Forwarder.Installer.msi

Configuration Instructions#

Installer shall open configuration Window automatically. You may access configuration from favourite web browser using command:

start http://localhost:55225/Configure/AD
_images/ad-integration-9.png

Service Logs#

Service logs can be found at c:\ProgramData\Whalebone\Event Log Forwarder\, which contain detailed information about service state. In case you encounther unexpected service behaviour please include this folder along inside your support ticket.