Active Directory Integration

Installation prerequisites

Before you install and Event Log Forwarer (ELF) on one or more of your devices, please ensure that you have enabled audit of events.

On each of your Domain Controllers (DC) go to: Windows Administrative Tools > Local Security Policy, and then Security Settings > Local Policies > Audit Policy, and there find Audit account logon events, Audit account sign-in events and Audit logon events.

Some settings may differ in name or be missing, based on your Windows version.

_images/ad-integration-1.png

Check both Success and Failure boxes.

_images/ad-integration-2.png

You may need to reload configured policy. To reload policy, please run following command:

gpupdate /force

Domain Controller Configuration

DC Firewall on Windows

Ensure that Event Log can be accessed through your Firewall configuration using WMI.

On each of your Domain Controllers go to: Windows Defender Firewall > Windows Defender Firewall with Advanced Security on Local Computer Inbound Rules > Windows Management Instrumentation (WMI-In)

ensure the rule allows connections

_images/ad-integration-3.png

set up a scope of allowed addresses that may connect. In this example a remote address 192.168.1.0/24 is allowed.

_images/ad-integration-4.png

Or, alternatively you can use command line:

netsh firewall set service RemoteAdmin enable

DC Firewall Rules

Source

Direction

Destination

Port

Protoocol

Reason

DC

—>

local netwk

135

TCP/UDP

Microsoft RPC

DC

—>

local netwk

445

TCP

Microsoft MQ

DC

—>

local netwk

ICMP

Windows Service

Please ensure that Windows Management Instrumentation service is running.

C:\Users\Administrator>sc query Winmgmt

SERVICE_NAME: Winmgmt
      TYPE               : 30  WIN32
      STATE              : 4  RUNNING
                              (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
      WIN32_EXIT_CODE    : 0  (0x0)
      SERVICE_EXIT_CODE  : 0  (0x0)
      CHECKPOINT         : 0x0
      WAIT_HINT          : 0x0
_images/ad-integration-5.png

WMI Remote Configuration

If you chose to install ELF on another Windows PC, ensure that it can use WMI remotely. To enable Remote WMI for the account which will be used to connect to Domain Controller, go to: Computer Management > Services and Applications > WMI Control` Right click on it and selet Properties

_images/ad-integration-6.png

Select Security tab, then choose the Root namespace and hit Security button.

_images/ad-integration-7.png

Add user to the list or select a group it belongs to, check Remote Enable permission.

_images/ad-integration-8.png

Event Log Forwarder

You can install ELF locally on the DC or on another Windows PC. ELF uses following connections:

ELF Firewall Rules

Source

Direction

Destination

Port

Protoocol

Reason

ELF

—>

DC

135

TCP/UDP

ELF

—>

resolver

4222

TCP

NATS Message Queue

Install Instructions

Install or Update:

msiexec /i "Whalebone.Event.Log.Forwarder.Installer.msi" ui="true"

Uninstall:

msiexec /x "Whalebone.Event.Log.Forwarder.Installer.msi

Configuration Instructions

Installer shall open configuration Window automatically. You may access configuration from favourite web browser using command:

start http://localhost:55225/Configure/AD
_images/ad-integration-9.png

Service Logs

Service logs can be found at c:\ProgramData\Whalebone\Event Log Forwarder\, which contain detailed information about service state. In case you encounther unexpected service behaviour please include this folder along inside your support ticket.