Purpose :
The purpose of this project is to audit the Active Directory changes regarding the account and the GPO management and display in a friendly way these changes.
This solution is based on several technologies :
- Microsoft Windows Event Forwarding
- MySQL database to keep the event history
- Powershell to send the events to the MySQL database
- PHP/JQuery and Bootstrap CSS for the web interface
The documentation to install the linux ubuntu server : documentation
You can also download the virtual machines :
– The Windows 2012R2 Server domain controller (cred: ROOT\Administrator / Abc123def) : virtual machine
– The Ubuntu server (cred: osboxes / osboxes.org) : virtual machine
The following events are captured :
Event ID | Description |
---|---|
4728 | A member was added to a security-enabled global group |
4732 | A member was added to a security-enabled local group |
4756 | A member was added to a security-enabled universal group |
4751 | A member was added to a security-disabled global group (distribution list) |
4746 | A member was added to a security-disabled local group (distribution list) |
4761 | A member was added to a security-disabled universal group (distribution list) |
4729 | A member was removed from a security-enabled global group |
4733 | A member was removed from a security-enabled local group |
4757 | A member was removed from a security-enabled universal group |
4752 | A member was removed from a security-disabled global group (distribution list) |
4747 | A member was removed from a security-disabled local group (distribution list) |
4762 | A member was removed from a security-disabled universal group (distribution list) |
4727 | A security-enabled global group was created |
4731 | A security-enabled local group was created |
4754 | A security-enabled universal group was created |
4730 | A security-enabled global group was deleted |
4734 | A security-enabled local group was deleted |
4758 | A security-enabled universal group was deleted |
4749 | A security-disabled global group was created |
4744 | A security-disabled local group was created |
4759 | A security-disabled universal group was created |
4753 | A security-disabled global group was deleted |
4748 | A security-disabled local group was deleted |
4763 | A security-disabled universal group was deleted |
4720 | A user account was created |
4722 | A user account was enabled |
4723 | An attempt was made to change an account’s password |
4724 | An attempt was made to reset an accounts password |
4725 | A user account was disabled |
4726 | A user account was deleted |
4738 | A user account was changed |
4740 | A user account was locked out |
4767 | A user account was unlocked |
4781 | The name of an account was changed |
5136 | A directory service object was modified |
5137 | A directory service object was created |
5138 | A directory service object was undeleted |
5139 | A directory service object was moved |
5141 | A directory service object was deleted |
This schema shows how this solution works :
Requirements
– Event collector > can be installed on an existing domain controller
– Install the MySQL Connector on the event collector machine (here) : during the setup only select the following features : Entity Framework Support and Core components
– LAMP Server on an Ubuntu server > can be installed on a virtual machine
– 2 processors or dual core machines
– 2 GB RAM
– 20 GB Hard disk space
Useful documentation :
Procedure to configure the event forwarding
- Run the following command on all the domain controllers : winrm quickconfig
- Run the following command on the event collector machine : wecutil qc
- Define an event subscription per domain on the event collector machine
- Open the Server Manager
- Go to Diagnostics > Subscriptions. Right click and then click on “Create Subscription”
- Fill the field as shown and then click on the button “Select Computers”
- Click on the button “Add Domain Computers” and add your domain controllers FQDN
- Click on the button “Select Events” > XML tab > tick the checkbox “Edit the query manually” and paste the following xml code
- Click on the button “Advanced” on the main “Subscription Properties” window, tick the “specific user” checkbox and the click on the button “User and Password” to enter the credential of a user account that have the read access to the source logs
- Validate and close the windows by clicking on the buttons “OK”
- The subscriptions will appear on the right side as shown below
- You can monitor the subscription status by clicking on it and then click on the “Runtime Status” choice. You will be able to troubleshoot through this window if you have any problem or error message
Procedure to configure the LAMP server
- Install a LAMP server
- Enable the php LDAP module
- Install PHPmyAdmin
sudo apt-get install phpmyadmin
- Install the database by running the following sql code
SET SQL_MODE="NO_AUTO_VALUE_ON_ZERO"; SET SQL_MODE="NO_AUTO_VALUE_ON_ZERO"; SET time_zone = "+00:00"; CREATE TABLE IF NOT EXISTS `ad_events` ( `id` int(11) NOT NULL AUTO_INCREMENT, `evt_date` datetime NOT NULL, `evt_recordid` int(20) NOT NULL, `evt_id` int(11) NOT NULL, `evt_desc` text NOT NULL, `evt_sourceDC` text NOT NULL, `evt_domain` text NOT NULL, `evt_chg` varchar(500) NOT NULL, `evt_modby` text NOT NULL, PRIMARY KEY (`id`), KEY `evt_date` (`evt_date`), KEY `evt_id` (`evt_id`), KEY `evt_chg` (`evt_chg`), KEY `evt_recordid` (`evt_recordid`), KEY `evt_date_2` (`evt_date`,`evt_id`,`evt_recordid`,`evt_chg`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=621559 ;
MonitorTools.com, the Internet Resource for Monitoring Tools
Procedure to configure the event capture script
- On the event collector, copy the following script
param($eventRecordID) import-module Activedirectory function ConnectMySQL([string]$user,[string]$pass,[string]$MySQLHost,[string]$database) { # Load MySQL .NET Connector Objects [void][system.reflection.Assembly]::LoadFrom("C:\Program Files (x86)\MySQL\MySQL Connector Net 6.5.4\Assemblies\v2.0\MySQL.Data.dll") # Open Connection $connStr = "server=" + $MySQLHost + ";port=3306;uid=" + $user + ";pwd=" + $pass + ";database="+$database+";Pooling=FALSE" $conn = New-Object MySql.Data.MySqlClient.MySqlConnection($connStr) $conn.Open() $cmd = New-Object MySql.Data.MySqlClient.MySqlCommand("USE $database", $conn) return $conn } function WriteMySQLQuery($conn, [string]$query) { $command = $conn.CreateCommand() $command.CommandText = $query $RowsInserted = $command.ExecuteNonQuery() $command.Dispose() if ($RowsInserted) { return $RowInserted } else { return $false } } # setup vars $user = 'dbusername' $pass = 'dbpassword' $database = 'auditad' $MySQLHost = '10.0.0.3' #MySQL server IP address $conn = ConnectMySQL $user $pass $MySQLHost $database # Event id references $eventid_list = @{ "4728" = "A member was added to a security-enabled global group" "4732" = "A member was added to a security-enabled local group" "4756" = "A member was added to a security-enabled universal group" "4751" = "A member was added to a security-disabled global group (distribution list)" "4746" = "A member was added to a security-disabled local group (distribution list)" "4761" = "A member was added to a security-disabled universal group (distribution list)" "4729" = "A member was removed from a security-enabled global group" "4733" = "A member was removed from a security-enabled local group" "4757" = "A member was removed from a security-enabled universal group" "4752" = "A member was removed from a security-disabled global group (distribution list)" "4747" = "A member was removed from a security-disabled local group (distribution list)" "4762" = "A member was removed from a security-disabled universal group (distribution list)" "4727" = "A security-enabled global group was created" "4731" = "A security-enabled local group was created" "4754" = "A security-enabled universal group was created" "4730" = "A security-enabled global group was deleted" "4734" = "A security-enabled local group was deleted" "4758" = "A security-enabled universal group was deleted" "4749" = "A security-disabled global group was created" "4744" = "A security-disabled local group was created" "4759" = "A security-disabled universal group was created" "4753" = "A security-disabled global group was deleted" "4748" = "A security-disabled local group was deleted" "4763" = "A security-disabled universal group was deleted" "4720" = "A user account was created" "4722" = "A user account was enabled" "4723" = "An attempt was made to change an account's password" "4724" = "An attempt was made to reset an accounts password" "4725" = "A user account was disabled" "4726" = "A user account was deleted" "4738" = "A user account was changed" "4740" = "A user account was locked out" "4767" = "A user account was unlocked" "4781" = "The name of an account was changed" "5136" = "A directory service object was modified" "5137" = "A directory service object was created" "5138" = "A directory service object was undeleted" "5139" = "A directory service object was moved" "5141" = "A directory service object was deleted" } # Group Policy Client Side Extension List $GPO_clt_ext_lst = @{ "{00000000-0000-0000-0000-000000000000}" = "Core GPO Engine" "{0E28E245-9368-4853-AD84-6DA3BA35BB75}" = "Preference CSE GUID Environment Variables" "{0F6B957D-509E-11D1-A7CC-0000F87571E3}" = "Tool Extension GUID (Computer Policy Settings)" "{0F6B957E-509E-11D1-A7CC-0000F87571E3}" = "Tool Extension GUID (User Policy Settings) - Restrict Run" "{1612b55c-243c-48dd-a449-ffc097b19776}" = "Preference Tool CSE GUID Data Sources" "{17D89FEC-5C44-4972-B12D-241CAEF74509}" = "Preference CSE GUID Local users and groups" "{1A6364EB-776B-4120-ADE1-B63A406A76B5}" = "Preference CSE GUID Devices" "{1b767e9a-7be4-4d35-85c1-2e174a7ba951}" = "Preference Tool CSE GUID Devices" "{25537BA6-77A8-11D2-9B6C-0000F8080861}" = "Folder Redirection" "{2EA1A81B-48E5-45E9-8BB7-A6E3AC170006}" = "Preference Tool CSE GUID Drives" "{3060E8CE-7020-11D2-842D-00C04FA372D4}" = "Remote Installation Services." "{35141B6B-498A-4CC7-AD59-CEF93D89B2CE}" = "Preference Tool CSE GUID Environment Variables" "{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" = "Registry Settings" "{3610EDA5-77EF-11D2-8DC5-00C04FA31A66}" = "Microsoft Disk Quota" "{3A0DBA37-F8B2-4356-83DE-3E90BD5C261F}" = "Preference CSE GUID Network Options" "{3BAE7E51-E3F4-41D0-853D-9BB9FD47605F}" = "Preference Tool CSE GUID Files" "{3BFAE46A-7F3A-467B-8CEA-6AA34DC71F53}" = "Preference Tool CSE GUID Folder Options" "{3EC4E9D3-714D-471F-88DC-4DD4471AAB47}" = "Preference Tool CSE GUID Folders" "{40B66650-4972-11D1-A7CA-0000F87571E3}" = "Scripts (Logon/Logoff) Run Restriction" "{42B5FAAE-6536-11d2-AE5A-0000F87571E3}" = "ProcessScriptsGroupPolicy" "{47BA4403-1AA0-47F6-BDC5-298F96D1C2E3}" = "Print Policy in PolicyMaker" "{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}" = "Internet Explorer Zonemapping" "{516FC620-5D34-4B08-8165-6A06B623EDEB}" = "Preference Tool CSE GUID Ini Files" "{53D6AB1D-2488-11D1-A28C-00C04FB94F17}" = "Certificates Run Restriction" "{5794DAFD-BE60-433f-88A2-1A31939AC01F}" = "Preference CSE GUID Drives" "{5C935941-A954-4F7C-B507-885941ECE5C4}" = "Preference Tool CSE GUID Internet Settings" "{6232C319-91AC-4931-9385-E70C2B099F0E}" = "Preference CSE GUID Folders" "{6A4C88C6-C502-4f74-8F60-2CB23EDC24E2}" = "Preference CSE GUID Network Shares" "{7150F9BF-48AD-4da4-A49C-29EF4A8369BA}" = "Preference CSE GUID Files" "{728EE579-943C-4519-9EF7-AB56765798ED}" = "Preference CSE GUID Data Sources" "{74EE6C03-5363-4554-B161-627540339CAB}" = "Preference CSE GUID Ini Files" "{79F92669-4224-476c-9C5C-6EFB4D87DF4A}" = "Preference Tool CSE GUID Local users and groups" "{7B849a69-220F-451E-B3FE-2CB811AF94AE}" = "Internet Explorer User Accelerators/PolicyMaker" "{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}" = "Computer Restricted Groups" "{827D319E-6EAC-11D2-A4EA-00C04F79F83A}" = "Security " "{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}" = "Folder Redirection" "{8A28E2C5-8D06-49A4-A08C-632DAA493E17}" = "Deployed Printer Connections" "{91FBB303-0CD5-4055-BF42-E512A681B325}" = "Preference CSE GUID Services" "{942A8E4F-A261-11D1-A760-00C04FB9603F}" = "Software Installation (Computers)." "{949FB894-E883-42C6-88C1-29169720E8CA}" = "Preference Tool CSE GUID Network Options" "{9AD2BAFE-63B4-4883-A08C-C3C6196BCAFD}" = "Preference Tool CSE GUID Power Options" "{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B]" = "Internet Explorer Maintenance policy processing" "{A3F3E39B-5D83-4940-B954-28315B82F0A8}" = "Preference CSE GUID Folder Options" "{A8C42CEA-CDB8-4388-97F4-5831F933DA84}" = "Preference Tool CSE GUID Printers" "{AADCED64-746C-4633-A97C-D61349046527}" = "Preference CSE GUID Scheduled Tasks" "{B087BE9D-ED37-454f-AF9C-04291E351182}" = "Preference CSE GUID Registry" "{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A]" = "EFS Recovery" "{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}" = "802.3 Group Policy" "{B9CCA4DE-E2B9-4CBD-BF7D-11B6EBFBDDF7}" = "Preference Tool CSE GUID Regional Options" "{BACF5C8A-A3C7-11D1-A760-00C04FB9603F}" = "Software Installation (Users) Run Restriction" "{BC75B1ED-5833-4858-9BB8-CBF0B166DF9D}" = "Preference CSE GUID Printers" "{BEE07A6A-EC9F-4659-B8C9-0B1937907C83}" = "Preference Tool CSE GUID Registry" "{BFCBBEB0-9DF4-4c0c-A728-434EA66A0373}" = "Preference Tool CSE GUID Network Shares" "{C418DD9D-0D14-4efb-8FBF-CFE535C8FAC7}" = "Preference CSE GUID Shortcuts" "{C631DF4C-088F-4156-B058-4375F0853CD8}" = "Microsoft Offline Files" "{C6DC5466-785A-11D2-84D0-00C04FB169F7]" = "Application Management" "{CAB54552-DEEA-4691-817E-ED4A4D1AFC72}" = "Preference Tool CSE GUID Scheduled Tasks" "{CC5746A9-9B74-4be5-AE2E-64379C86E0E4}" = "Preference Tool CSE GUID Services" "{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}" = "TCPIP" "{CEFFA6E2-E3BD-421B-852C-6F6A79A59BC1}" = "Preference Tool CSE GUID Shortcuts" "{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}" = "Internet Explorer Machine Accelerators" "{CF848D48-888D-4F45-B530-6A201E62A605}" = "Preference Tool CSE GUID Start Menu" "{D02B1F72-3407-48AE-BA88-E8213C6761F1}" = "Tool Extension GUID (Computer Policy Settings)" "{D02B1F73-3407-48AE-BA88-E8213C6761F1}" = "Tool Extension GUID (User Policy Settings)" "{e437bc1c-aa7d-11d2-a382-00c04f991e27]" = "IP Security" "{E47248BA-94CC-49C4-BBB5-9EB7F05183D0}" = "Preference CSE GUID Internet Settings" "{E4F48E54-F38D-4884-BFB9-D4D2E5729C18}" = "Preference CSE GUID Start Menu" "{E5094040-C46C-4115-B030-04FB2E545B00}" = "Preference CSE GUID Regional Options" "{E62688F0-25FD-4c90-BFF5-F508B9D2E31F}" = "Preference CSE GUID Power Options" "{F0DB2806-FD46-45B7-81BD-AA3744B32765}" = "Policy Maker" "{F17E8B5B-78F2-49A6-8933-7B767EDA5B41}" = "Policy Maker" "{F27A6DA8-D22B-4179-A042-3D715F9E75B5}" = "Policy Maker" "{f3ccc681-b74c-4060-9f26-cd84525dca2a}" = "Audit Policy Configuration" "{F581DAE7-8064-444A-AEB3-1875662A61CE}" = "Policy Maker" "{F648C781-42C9-4ED4-BB24-AEB8853701D0}" = "Policy Maker" "{F6E72D5A-6ED3-43D9-9710-4440455F6934}" = "Policy Maker" "{F9C77450-3A41-477E-9310-9ACD617BD9E3}" = "Group Policy Applications" "{FB2CA36D-0B40-4307-821B-A13B252DE56C}" = "Enterprise QoS" "{FC715823-C5FB-11D1-9EEF-00A0C90347FF}" = "Internet Explorer Maintenance Extension protocol" "{FD2D917B-6519-4BF7-8403-456C0C64312F}" = "Policy Maker" "{FFC64763-70D2-45BC-8DEE-7ACAF1BA7F89}" = "Policy Maker" } $xml_filter = "" $event = Get-WinEvent -FilterXml $xml_filter $gpo_mod_tag = $false if ($event.Message -match "(gPCMachineExtensionNames|gPCUserExtensionNames)") { $gpo_mod_tag = $true } $sourceDC = $event.MachineName $date = $event.TimeCreated $id = $event.Id $ev_localrecordID = $event.RecordId $desc = $eventid_list."$id" $eventXML = [xml]$event.ToXml() $domainname = $sourceDC.split(".")[1..($sourceDC.split(".").length)] -join "." $domainname_dn = ($domainname.split(".") | % { "DC=$_" }) -join "," $modified_by_formatted = @() $change_formatted = @() for ($i=0; $i -lt $eventXML.Event.EventData.Data.length ; $i++) { if ($eventXML.Event.EventData.Data[$i].name -like "Subject*") { $modified_by_formatted += $eventXML.Event.EventData.Data[$i].name + " : " + $eventXML.Event.EventData.Data[$i].'#text' } if (($eventXML.Event.EventData.Data[$i].name -notlike "Subject*") -and ($eventXML.Event.EventData.Data[$i].'#text' -ne "-")) { if ($eventXML.Event.EventData.Data[$i].'#text' -like "*,cn=policies,cn=system,*") { if ($eventXML.Event.EventData.Data[$i].'#text' -match "LDAP://"){ (($eventXML.Event.EventData.Data[$i].'#text' -replace "\[|\]","_" ) -replace "__","_" -replace "LDAP://|;0","").split("_") | %{ if (!([string]::IsNullOrEmpty($_) ) -and ($_ -like "*,cn=policies,cn=system,$domainname_dn" )) { $gpo_displayname = (get-ADObject -Filter 'objectClass -eq "groupPolicyContainer"' -Server "localhost:3268" -searchbase $_ -Properties displayname).displayname $change_formatted += $eventXML.Event.EventData.Data[$i].name + " : " + $gpo_displayname + " (" + $_ + ")"}} } else { $gpo_displayname = (get-ADObject -Filter 'objectClass -eq "groupPolicyContainer"' -Server "localhost:3268" -searchbase $eventXML.Event.EventData.Data[$i].'#text' -Properties displayname).displayname $change_formatted += $eventXML.Event.EventData.Data[$i].name + " : " + $gpo_displayname + " (" + $eventXML.Event.EventData.Data[$i].'#text' + ")" } } elseif (($gpo_mod_tag -eq $true) -and ($eventXML.Event.EventData.Data[$i].name -eq "AttributeValue")){ $change_obj_val = $eventXML.Event.EventData.Data[$i].'#text' -replace "{","_" -replace "}","_" $change_obj_val $change_obj_val_arr = $change_obj_val.split("_") $change_obj_tmp_arr = @() for ($j=1; $j -lt $change_obj_val_arr.length ; $j++) { $change_obj_val_arr_tmp = "{" + $change_obj_val_arr[$j] + "}" $change_obj_val_arr_tmp $change_obj_val_txt = $GPO_clt_ext_lst.$change_obj_val_arr_tmp $change_obj_val_txt if ($change_obj_val_txt) {$change_obj_tmp_arr += $change_obj_val_txt} } $change_obj = $change_obj_op + " > " $change_obj += $change_obj_tmp_arr -join " / " $change_formatted += $eventXML.Event.EventData.Data[$i].name + " : " + $change_obj } else { $change_formatted += $eventXML.Event.EventData.Data[$i].name + " : " + $eventXML.Event.EventData.Data[$i].'#text' } } } $desc = $desc -replace "'"," " $datetime_new = get-date $date -format "yyyy-MM-dd HH:mm:ss" #Write to db $query = "INSERT INTO ad_events (evt_date,evt_recordid,evt_id,evt_desc,evt_sourceDC,evt_domain,evt_chg,evt_modby) ` VALUES('$datetime_new','$ev_localrecordID','$id','$desc','$sourceDC','$domainname','$change_formatted','$modified_by_formatted')" $Rows = WriteMySQLQuery $conn $query $gpo_mod_tag = $false $conn.close()
- the script above requires configuration
- line 4 : update the path where the file MySQL.Data.dll is located on your system
- line 26-29 : enter your own database credentials and server ip address
- Create a new scheduled task on the event collector server
- On the “Triggers” tab, click New and configure as shown below
<QueryList> <Query Id="0" Path="ForwardedEvents"> <Select Path="ForwardedEvents">*[(System[((EventID >= 5136 and EventID <= 5139) or EventID=5141)] and EventData[(Data[@Name="ObjectClass"] and (Data="organizationalUnit" or Data="groupPolicyContainer"))]) or (System[(EventID = 5136)] and EventData[(Data="gPCMachineExtensionNames")]) or (System[(EventID=4720 or (EventID >= 4722 and EventID <= 4734) or EventID=4738 or EventID=4740 or EventID=4744 or (EventID >= 4746 and EventID <= 4749) or (EventID >= 4751 and EventID <= 4754) or (EventID >= 4756 and EventID <= 4759) or (EventID >= 4761 and EventID <= 4763) or EventID=4767 or EventID=4781)])]</Select> </Query> </QueryList>
- On the “Actions” tab, click New and fill with this informations :
– Program/script : powershell.exe
– Add arguments : \\server\script_share\event_ad.ps1 -eventRecordID $(eventRecordID) - On the “Settings” tab, configure as shown below
- Right click on the newly created scheduled task > Export (xml file)
- Insert the following lines
<ValueQueries> <Value name="eventChannel">Event/System/Channel</Value> <Value name="eventRecordID">Event/System/EventRecordID</Value> <Value name="eventSeverity">Event/System/Level</Value> </ValueQueries>
Here :
Close the window to finish the scheduled task creation
Open the xml file with your favorite text editor
Delete the scheduled task
Right click > Import and then select the modified xml file
Procedure for the website
- Download the website
- Uncompress the archive on the LAMP server
- VERY IMPORTANT : the website must be set with HTTPS (Thank you to Johannes Rudloff)
- When you install mcrypt, you have to enable it and then restart the web server as shown below
- sudo php5enmod mcrypt
- sudo service apache2 restart
The documentation is very basic so do not hesitate to contact me or leave a comment if you need some help !
Hi,
thanks for the wonderful auditing scripts, but somehow the website stays blank after login and gives me no error message at all. Only errors in apache error log are php notices about undefined variables and indices.
in the powershell script if I uncomment line 166 there is a missing bracket. shouldn’t there be some kind of loop?
Best regards and thank you very much for your effort
Johannes
nevermind the uncommenting but i had to comment lines 195 – 202 too
Hello Johannes,
Do you try to launch the powershell script ? Do you have any error codes or messages ?
Are you sure you have set the locale to en-us on the machine where you are running the script ?
Thank you for your feedback
Hi Nicolas,
thanks for your fast response. locale is set to en-us. Powershell script ran fine. Only problem is the website for me. The mysql database has been filled nicely with entries, but I have no chance to enter the website. config.ini and @.security file have been configured to our domain but still no success. Are there any other prerequisites to fulfill for apache? I have installed a fresh Ubuntu 14.04 Server with apache2, mysql, php5 and php5-ldap. phpinfo shows ldap enabled
thanks for your help
Pingback:Monitor a resource failover on a cluster - shell {&} co
I’m having a problem running the powershell script. The error is listed below.
Get-WinEvent : The specified query is invalid
At C:\Temp\event_ad.ps1:163 char:22
+ $event = Get-WinEvent <<<< -FilterXml $xml_filter
+ CategoryInfo : NotSpecified: (:) [Get-WinEvent], EventLogException
+ FullyQualifiedErrorId : System.Diagnostics.Eventing.Reader.EventLogException,Microsoft.PowerShell.Commands.GetWi
nEventCommand
The script cannot be run directly from the command prompt. You have to follow the whole documentation and create the requested scheduled task to make it work properly. Thank you. Do not hesitate to give me a feedback or if you have another questions.
Nicolas,
Thanks for the explanation regarding the powershell script. What would cause 0000-00-00 00:00:00 to be the only data sent from the event collector to the db?
There is a bug with the powershell cmdlets get-winevent. The locale must be set To en-us. Could you please try ?
That did the trick. Thank you.
What was your solution? I have the same problem that you point out ….?
Nicolas,
I want to restrict access to the web portal to a specific AD group. I’ve added this AD group into the @.security file but I’m still able to logon to the web portal with any AD account. I’m I setting AD group access in the wrong place?
Thanks for all your help,
Bob
Bob,
Could you please send me an email (nicolas.hahang@gmail.com) with the content of your @.security file ? Thank you in advance.
Nicolas,
I reboot the portal and authentication is working as expected. Thanks for all your help and sharing this great tool.
Bob
Pingback:Audit the Active Directory FREE - shell {&} co
Pingback:Audit Active Directory 2 - shell {&} co
Hi!
Ive got a problem, ive installed two instances of this, one on server 2008R2 and one on server 2012 (replacing LAMP with WIMP). The server 2012 works nice but the 2008R2 gives me just a blank website after entering it. Any idea what it might be?
Hello,
If you have a blank screen after a successful logon, the cause is probably one of the following :
– web server has not been restarted
– the web server is not using https
Regards
A follow up question for someone who is not good at PHP… If i don’t want it to use LDAP but defined user/pass from a file, the database or another “non domain” connection to establish a login, how would i go about doing that?
I am getting a blank page after login in Chrome, and an HTTP 500 Internal Server Error page after login in IE9. I have SSL enabled (and appears to be working) on the site. Any advice?
I am on Ubuntu 14.04, this is needed:
sudo php5enmod mcrypt
sudo service apache2 restart
i applied mcrypt and restart apache2 and then i cannot logon . before it was no problem, but i had a blank white screen 🙁 … any suggestions?
Without mcrypt i can login to the webseite with my ad accoount, with installed mcrypt i cant logon and i received no message. can you help me nicolas?
Hello Heiko,
Sorry for the late answer. Normally, if you use mcrypt and https protocol it will work as expected. Could you please confirm ?
Pingback:Active Directory Health Check, Audit and Remediation Scripts
I followed the instructions (used a CentOS server because that is what was available) and I am unable to log in to the portal. It keeps saying that login failed. I entered my domain information in the config, and the group within the security file. What else can be checked? Thanks
Actually, forget that last post. I was able to “login”, but I am getting a white screen and nothing more.
Hello,
As discussed, the module php mcrypt is required. I hope everything is working fine.
Nicolas HAHANG
Hello,
As discussed, the module php mcrypt is required. I hope everything is working fine.
Nicolas HAHANG
I cannot seem to get events 5136-5141 sent to the DB (at the least show up in the web interface). At first only 5136+ for GPO changes were showing up on the Windows server (the one with the subscription), then I added to the subscription for ObjectClass: or Data=”user”
After that, in the Forwarded Events log there are events for 5136 relating to user changes, but these events do not show up in the website (GPO events do show up, though) – any advice?
Congratulations solution, will make life easier for many network administrators in AD logs analysis.
Are there any plans to extend for file server log analysis.?
Hello,
File server audit generates a lot of logs… but the current solution can be used to analyze file server logs. You just have to configure the events id you want… For the moment, I don’t have time but probably in the close future
Hello,
i try to deploy this tools for testing.
However, i was stopped at setup the web GUI. i can’t success login in the portal.
can i know which module will control user login?
i have edited the @.security file.
below is the result:
CN=Domain Admins,CN=Users,DC=TestAD,DC=test
but i still can’t login, no matter usinig AD account or local account.
i am new in Ubuntu system, am i missing some item? please give advice.
Best Regards,
Anthony
Hello Anthony,
Sorry for the late answer. Can you try to use a DN of an AD object located in an OU and not in a default container ?
Thank you in advance for your feedback
Are the events kept forever or there’s a way to auto-prune data after a set period ??????
Hello Yan,
Sorry for the late answer. There is no auto-prune function. I’m using this tool since 2012. The database size is about 1GB. But this suggestion could be an interresting enhancement.
Hello, i could confirm this. I have installed mcrypt and ssl. after install mcrypt i cant logon, no message. nothing. only the logon screen again. no errors on my apache logs. when i remove mcrypt from my server i received a blank white screen after entering the credentials.
Hi Nic,
I have install php5-mcrypt but if i type https://servername, it gives me page cannot be found. But if i use http the page opens and after login it gives me blank page. Please help me.
Thank you
Nic,
I configured apache to use ssl..i can login to the portal with https://servername. But when i login with my username and password, i get blank page “Whitepage” mcrypt is install. Am i doing something wrong?
Thank you.
Can anyone please help me?
Hello Steve, sorry for the late answer. This project does not support special character. Can you tell me the content of your security file? Thank you
Hello Nic, thank you for your reply….I checked the security event filter and was wrong. Was the default. When i copied and past the below it gives me error: The Event log query specified is invalid. Am i doing something wrong?
Thank you.
*[(System[((EventID >= 5136 and EventID <= 5139) or EventID=5141)] and EventData[(Data[@Name=”ObjectClass”] and (Data=”organizationalUnit” or Data=”groupPolicyContainer”))]) or (System[(EventID = 5136)] and EventData[(Data=”gPCMachineExtensionNames”)]) or (System[(EventID=4720 or (EventID >= 4722 and EventID <= 4734) or EventID=4738 or EventID=4740 or EventID=4744 or (EventID >=4746 and EventID <= 4749) or (EventID >= 4751 and EventID <= 4754) or (EventID >= 4756 and EventID <= 4759) or (EventID >= 4761 and EventID <= 4763) or EventID=4767 or EventID=4781)])]
This is the security filter
*[(System[((EventID >= 5136 and EventID <= 5139) or EventID=5141)] and EventData[(Data[@Name=”ObjectClass”] and (Data=”organizationalUnit” or Data=”groupPolicyContainer”))]) or (System[(EventID = 5136)] and EventData[(Data=”gPCMachineExtensionNames”)]) or (System[(EventID=4720 or (EventID >= 4722 and EventID <= 4734) or EventID=4738 or EventID=4740 or EventID=4744 or (EventID >=4746 and EventID <= 4749) or (EventID >= 4751 and EventID <=4754) or (EventID >= 4756 and EventID <= 4759) or (EventID >= 4761 and EventID <=4763) or EventID=4767 or EventID=4781)])]
Hello Steve,
I talk about the file called @.security in the webserver that contains the dn of each group authorized to login. Is it properly filled with no special characters ? The event filter you are talking about can be keep by default.
Hello Nic, the DN is cn=IT,ou=IT, dc=cyber,dc=com
Where cn=IT->group name is IT, ou=IT->ou name is IT.
Thank you.
Try a login with a bad password, and another with correct credentials and give me the result
if i try with a bad password, it gives me error: Login Failed! with correct password i get blank page “White page”
Thank you.
Can you confirm you are using https? I will send you by email tomorrow some changes to apply to troubleshoot the issue. Regarding the events, is it ok with the script and the database?
Thank you Nic,
Yes am using https..https://server_ipaddress. sorry am new to database base . but the settings like database name, table name are correct in the script. i can see the database space usage is 16kb. Again thank you for your usual responds. Will be expecting your email .
Hello,
Could you please update the file main.php with these lines and give me the output :
$acl = array();
$acl = array_intersect($groupArray[0][“memberof”], $sec_arr_trim);
$session_timeout = 3600;
// LINES TO ADD – BEGIN
echo “—-username : $username—\n”;
echo “—-acl : “.var_dump($acl).”—\n”;
echo “—-cookie user : $cookie_user—\n”;
echo “—-cookie sessid : $cookie_sessid—\n”;
echo “—-cookie diff : $cookie_diff—\n”;
echo “—-session timeout : $session_timeout—\n”;
// LINES TO ADD – END
auth_check($acl, $cookie_user, $cookie_sessid, $cookie_diff, $session_timeout);
Thank you
PS : use chrome browser and open the Developer interface (Inspect element function when you right click on the page)
Hello below is the out
accessKey: “”
attributes: NamedNodeMap
baseURI: “https://192.168.0.15/index.php”
childElementCount: 2
childNodes: NodeList[2]
children: HTMLCollection[2]
classList: DOMTokenList[0]
className: “”
…
Could you please send me the beginning of the html result : developer tools – elements tabs to check the output
Hi. I have a problem with blank screen after login.
https,crypt,@security is on and correct, but in apache log i have errors:
Key of size 26 not supported by this algorithm. Only keys of sizes 16, 24 or 32 supported in /var/www/adaudit/index.php on line 50
line 50 is
$cookie_crypt = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, session_id(), $username.”,”.time().”,”.session_id(), MCRYPT_MODE_ECB);
Tried to add debug to main.php and got the same blank page.
Any suggestions
Hello Igor, have you run the php5enmod command ?
Yes. I think problem in my php version it’s to high for this. (5.6.7) I disable mcrypt and rewrite mysql to mysqli. It’s work but now i have some json errors with db. May be if you have time you could update web part for new php.. Anyway thank you!
Hi,
I try to add the Log Filter on subscriptio, but show me “The event log query specified is invalid”
*[(System[((EventID >= 5136 and EventID = 4722 and EventID =4746 and EventID = 4751 and EventID = 4756 and EventID = 4761 and EventID <=4763) or EventID=4767 or EventID=4781)])]
What is wrong?
Windows 2008 SP2
Thanks
I think the blog supress the content,
*[(System[((EventID >= 5136 and EventID = 4722 and EventID =4746 and EventID = 4751 and EventID = 4756 and EventID = 4761 and EventID <=4763) or EventID=4767 or EventID=4781)])]
Hello Augusto,
You have to copy the filter in the article. It works fine on a server running on Windows Server 2008R2.
these instructions are so incomplete. Example the sql script does not have the database creation or use line. Had to add the following. There have been other errors I have found too.
CREATE DATABASE `auditad` DEFAULT CHARACTER SET latin1 COLLATE latin1_swedish_ci;
USE `auditad`;
Hello Nick,
Sorry about that. I will be glad to help you and update this documentation. I don’t have a lot of time these days. Thank you for your feedback.
Hi,
great work and tnx for sharing. Would you be so kind to give me some hints on how to have it up and running on a windows box with IIS/PHP/MySQL ?
Regards.
Red.
Hi,
everything up and running on windows box ecxcept for the website 🙁
PHP Notice: Undefined index: logout in C:\Reports\auditweb\index.php on line 3
PHP Notice: Undefined index: username in C:\Reports\auditweb\index.php on line 25
PHP Notice: Undefined index: password in C:\Reports\auditweb\index.php on line 26
PHP Notice: Undefined index: formage in C:\Reports\auditweb\index.php on line 27
PHP Notice: Undefined index: oldform in C:\Reports\auditweb\index.php on line 29
PHP Notice: Undefined variable: failed in C:\Reports\auditweb\index.php on line 91
Any help greatly appreciated.
Regards.
Red.
Hello Red,
I don’t have any experience with PHP on IIS web server. Can you try a Windows Apache installation instead of IIS to test ?
troubles with powershell too 🙁
PS C:\Mgmtscript\ADaudit> .\event_ad.ps1
Get-WinEvent : The specified query is invalid
At C:\Mgmtscript\ADaudit\event_ad.ps1:163 char:10
+ $event = Get-WinEvent -FilterXml $xml_filter
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-WinEvent], EventLogException
+ FullyQualifiedErrorId : System.Diagnostics.Eventing.Reader.EventLogException,Microsoft.PowerShell.Commands.GetWi
nEventCommand
You cannot call a method on a null-valued expression.
At C:\Mgmtscript\ADaudit\event_ad.ps1:175 char:1
+ $eventXML = [xml]$event.ToXml()
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
You cannot call a method on a null-valued expression.
At C:\Mgmtscript\ADaudit\event_ad.ps1:176 char:1
+ $domainname = $sourceDC.split(“.”)[1..($sourceDC.split(“.”).length)] -join “.”
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
You cannot call a method on a null-valued expression.
At C:\Mgmtscript\ADaudit\event_ad.ps1:177 char:1
+ $domainname_dn = ($domainname.split(“.”) | % { “DC=$_” }) -join “,”
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
Get-Date : Cannot bind parameter ‘Date’ to the target. Exception setting “Date”: “Object reference not set to an
instance of an object.”
At C:\Mgmtscript\ADaudit\event_ad.ps1:223 char:26
+ $datetime_new = get-date $date -format “yyyy-MM-dd HH:mm:ss”
+ ~~~~~
+ CategoryInfo : WriteError: (:) [Get-Date], ParameterBindingException
+ FullyQualifiedErrorId : ParameterBindingFailed,Microsoft.PowerShell.Commands.GetDateCommand
Exception calling “ExecuteNonQuery” with “0” argument(s): “Incorrect datetime value: ” for column ‘evt_date’ at row 1″
At C:\Mgmtscript\ADaudit\event_ad.ps1:18 char:2
+ $RowsInserted = $command.ExecuteNonQuery()
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : MySqlException
The powershell script cannot be started directly from the prompt. You have to create the scheduled task as described in the article
Hi Nicolas,
I have IIS running a lot of webapps with php and mysql and I can’t switch to Apache.
Related to powershell, I understand the need of a scheduled task but if powershell command are not executed correctly runtime how can they work well in a scheduled task ?
Anyway, the biggest problem seems to be in PHP (index.php)
PHP Notice: Undefined index: logout in C:\Reports\auditweb\index.php on line 3
PHP Notice: Undefined index: username in C:\Reports\auditweb\index.php on line 25
PHP Notice: Undefined index: password in C:\Reports\auditweb\index.php on line 26
PHP Notice: Undefined index: formage in C:\Reports\auditweb\index.php on line 27
PHP Notice: Undefined index: oldform in C:\Reports\auditweb\index.php on line 29
PHP Notice: Undefined variable: failed in C:\Reports\auditweb\index.php on line 91
Is there any special configuration I need to do for Active Directory ?
Regards.
Red.
This solve the the PHP part
$message = $_GET[‘message’];
to this:
$message = isset($_GET[‘message’]) ? $_GET[‘message’] : ”;
Red.
Great. Thank you for this feedback… and sorry for my bad support 🙂
I thought I worked out all my bugs but now I am not getting data written to the database. In the auditad2 task i am getting Task Scheduler launched “{0000000-0000-0000-00000000000} instance of task “\auditad2” according to event trigger.
Has anyone else had any issues writing to the mysql db. I am doing a tcpdump on the lamp server and i have verified that it is connecting, but no data in the table. Oh i verified the ps1 script to make sure i had the table name correct
From the above discussion, it should be:
“There is a bug with the powershell cmdlets get-winevent. The locale must be set To en-us. Could you please try ?”
Really unable to solve PHP related errors
PHP Notice: Undefined variable: chk_username in C:\Reports\auditweb\main.php on line 17
PHP Notice: Undefined variable: user_input in C:\Reports\auditweb\main.php on line 17
PHP Notice: Undefined variable: sessid_input in C:\Reports\auditweb\main.php on line 17
PHP Notice: Undefined variable: chk_sess_id in C:\Reports\auditweb\main.php on line 17
PHP Notice: A session had already been started – ignoring session_start() in C:\Reports\auditweb\main.php on line 3
Red.
Hi, Just got my system successfully scanned and the result was great. Thanks for sharing this wonderful tool.
Thank you for your comment. Appreciate 😉
Hi! I managed to get it working on Windows Server 2012 R2.
– I can access de website, with defined security groups (Domain Admins)
– Collector working. I enter the event viewer and see the events of the domain controller
– Powershell script does run as a scheduled task, no errors shown there.
– Powershell script edited with the route for MySQL: LoadFrom(“C:\Program Files (x86)\MySQL\MySQL Connector Net 6.9.8\Assemblies\v2.0\MySQL.Data.dll”)
– Also edited the options for user, pass and IP.
It does not populate the MySQL database at all. Size always the same, even when I can see the forwared events on the collector.
One thing: Collector, IIS Server and MySQL are the same Server. Everything running on the same box.
Any Idea?
Thanks a lot.
Hi nicolas, in the firts congrat with tutorial, the project looks god. I have some issues because in really.. not work’s for me.
Not work’s when i put de user in the portal. i follow the all steps i installed in the centos versión but is the same.
Uncompress the archive webside on the LAMP server inside of the html folder and then install mcrypt module but not works. If i try acces by https not works if try access by http the page works but not validate the AD accounts.
can you help please?
Best regards!
Hello Jay,
I will contact you with your email to find with you what kind of problem you have.
Cheers
Nico
Hellow,
thank’s for the manual, good job. I have a some issue.. i can access to the portal but when in find any log.. the portal remain in Loading.. forever.. and Showing 0 to 0 of 0 entries. Do you know why i have this issue?
Thanks a lot
Method
Hello,
I will contact you with your email to find with you what kind of problem you have.
Cheers
Nico
Thanks Nicolas,
FOr now i can’t find the solution, seems that everything is good but not works.. 🙁
Hi Nico,
I’m checked the process from the Beginning.. but i can’t find the solution.. how i did.. when i enter inside de portal seems everything ok, i can validate from ad with group portal 1. But when execute the query the screen remains “Loading” forever..
Any idea?
Kind Regards
Hello Jay,
I have sent you an email.
Cheers
Nico
Hi, If I want to add events, like for example events ID 4741, 4742 and 4743, I have to modify the XML and ps1 script and thats it?
Thanks!
Hello BarrozoA,
Yes you are right. Have a nice day.
Regards,
Nico
Sorry, I have this problem in the event collector ” StdErr=[Import-Module : The specified module ‘Activedirectory’ was not loaded because no valid module file was found in any module directory.At C:\PROGRA~3\ACTIVE~1\NETWOR~1\Scripts\MONITO~2\EVENTS~1.PS1:35 char:14+ import-module <<<< Activedirectory + Catego…]"
Hi, Just got everything installed and I can get to the web page using https but every login says failed. This is the last part that I cannot get working. I have a feeling it is with my config but not sure what it is.
I have a 2012 R2 server as the collector and the logs are being forwarded successfully. The database is on CentOS 7 and is also getting populated as I can see the rows in phpmyadmin.
Any assistance would be great.
Thanks
Hi,
I am not sure what I am doing wrong but no matter what config I do the web, I always get ‘Login Failed!’.
I originally had the web server on CentOS but moved it to Ubuntu thinking it was something there but I have the same issue. I am not sure if my config is 100% correct in terms of what the adldap connection needs. Any insight would be appreciated.
Thanks
Hello Russ,
I was not available these days. If you are ok, I can propose to contact you on Monday.
Regards
Nico
That is fine with me. Did not realize that I had posted twice. You can contact me via email, that is no problem. Thanks
Can someone explain how to configure the website on the LAMP server? Where are folders copied too? No documentation, etc????
Hello Steve, thank you for your message. I will try to answer your questions and to install properly this tool. I send you an email. Regards
i am getting home page using http. where after deploying SSL certificate in CEntOS 7, https://Servername it appears as page cannot be displayed.
Moreover io.security file contains CN=Users,DC=mydomain,DC=local.
Please advise
Hi Nicolas HAHANG,
Deployed Script in Windows 2012 and CentOS7 with https. I am not able to login to portal using AD credentials. It says login failed. Mycrypt also installed.
Please help to resolve the issue.
Where does the auditweb.tar.gz contents need to reside on an Ubuntu 16.04 server?
Hello George,
A new version has been uploaded to the website. Please use this new version and extract the content in the folder /var/www/html/
This is the default web server root folder in Ubuntu 16.04
Do not hesitate to contact me in case of problem.
Cheers
Nico
for optimization:
— in api.php —
http://php.net/manual/fr/function.parse-str.php
— in main,php —
https://github.com/rainabba/jquery-table2excel
& upgrade Font Awesome 4.7.0 for icons
===
http://js/jquery.table2excel.js
===
Export to Excel
===
$(“#btn-export2excel”).click(function(){
$(“#dataTables”).table2excel({
exclude: “.noExl”,
name: “AD Audit”,
filename: “ADAudit”,
fileext: “.xls”,
exclude_img: true,
exclude_links: true,
exclude_inputs: true
});
});
— in .ps1 —
#$datetime_new = get-date $date -format “yyyy-MM-dd HH:mm:ss”
$datetime_new = get-date $date -format “yyyy-MM-dd HH:mm:ss.fff”
Hello,
What is the license of your software ? Is it reusable for free ? Thanls
Hello. Yes it is free. But if you want to make a donation it will be appreciated. Thanks!
Ok, so I can reuse freely (personnal and commecial usage) ?
Hello,
You can reuse freely only for personal use. If you want to reuse it for commercial usage please contact me user01062008@shellandco.net
Thank you and have a nice day
Quality articles is the crucial to interest the visitors to
visit the web page, that’s what this website is providing.