Snap35

Purpose :
The purpose of this project is to audit the Active Directory changes regarding the account and the GPO management and display in a friendly way these changes.

This solution is based on several technologies :

  • Microsoft Windows Event Forwarding
  • MySQL database to keep the event history
  • Powershell to send the events to the MySQL database
  • PHP/JQuery and Bootstrap CSS for the web interface

The following events are captured :

Event ID Description
4728 A member was added to a security-enabled global group
4732 A member was added to a security-enabled local group
4756 A member was added to a security-enabled universal group
4751 A member was added to a security-disabled global group (distribution list)
4746 A member was added to a security-disabled local group (distribution list)
4761 A member was added to a security-disabled universal group (distribution list)
4729 A member was removed from a security-enabled global group
4733 A member was removed from a security-enabled local group
4757 A member was removed from a security-enabled universal group
4752 A member was removed from a security-disabled global group (distribution list)
4747 A member was removed from a security-disabled local group (distribution list)
4762 A member was removed from a security-disabled universal group (distribution list)
4727 A security-enabled global group was created
4731 A security-enabled local group was created
4754 A security-enabled universal group was created
4730 A security-enabled global group was deleted
4734 A security-enabled local group was deleted
4758 A security-enabled universal group was deleted
4749 A security-disabled global group was created
4744 A security-disabled local group was created
4759 A security-disabled universal group was created
4753 A security-disabled global group was deleted
4748 A security-disabled local group was deleted
4763 A security-disabled universal group was deleted
4720 A user account was created
4722 A user account was enabled
4723 An attempt was made to change an account’s password
4724 An attempt was made to reset an accounts password
4725 A user account was disabled
4726 A user account was deleted
4738 A user account was changed
4740 A user account was locked out
4767 A user account was unlocked
4781 The name of an account was changed
5136 A directory service object was modified
5137 A directory service object was created
5138 A directory service object was undeleted
5139 A directory service object was moved
5141 A directory service object was deleted

This schema shows how this solution works :

Requirements
– Event collector > can be installed on an existing domain controller
– Install the MySQL Connector on the event collector machine (here) : during the setup only select the following features : Entity Framework Support and Core components
– LAMP Server on an Ubuntu server > can be installed on a virtual machine
– 2 processors or dual core machines
– 2 GB RAM
– 20 GB Hard disk space

Useful documentation :

Procedure to configure the event forwarding

    • Run the following command on all the domain controllers : winrm quickconfig
    • Run the following command on the event collector machine : wecutil qc
    • Define an event subscription per domain on the event collector machine
      • Open the Server Manager
      • Go to Diagnostics > Subscriptions. Right click and then click on “Create Subscription”

      • Fill the field as shown and then click on the button “Select Computers”

      • Click on the button “Add Domain Computers” and add your domain controllers FQDN

      • Click on the button “Select Events” > XML tab > tick the checkbox “Edit the query manually” and paste the following xml code

      • Click on the button “Advanced” on the main “Subscription Properties” window, tick the “specific user” checkbox and the click on the button “User and Password” to enter the credential of a user account that have the read access to the source logs

      • Validate and close the windows by clicking on the buttons “OK”
    • The subscriptions will appear on the right side as shown below

    • You can monitor the subscription status by clicking on it and then click on the “Runtime Status” choice. You will be able to troubleshoot through this window if you have any problem or error message

Procedure to configure the LAMP server

    • Install the database by running the following sql code

MonitorTools.com, the Internet Resource for Monitoring Tools

Procedure to configure the event capture script

    • On the event collector, copy the following script

  • the script above requires configuration
    • line 4 : update the path where the file MySQL.Data.dll is located on your system
    • line 26-29 : enter your own database credentials and server ip address
  • Create a new scheduled task on the event collector server
    sched_auditad1
  • On the “Triggers” tab, click New and configure as shown below
    sched_auditad2
    sched_auditad3

  • On the “Actions” tab, click New and fill with this informations :
    – Program/script : powershell.exe
    – Add arguments : \\server\script_share\event_ad.ps1 -eventRecordID $(eventRecordID)
  • On the “Settings” tab, configure as shown below
    sched_auditad4
  • Close the window to finish the scheduled task creation

  • Right click on the newly created scheduled task > Export (xml file)
  • Open the xml file with your favorite text editor

  • Insert the following lines

    Here :
    sched_auditad5

  • Delete the scheduled task

    Right click > Import and then select the modified xml file

Procedure for the website

  • Download the website
  • Uncompress the archive on the LAMP server
  • VERY IMPORTANT : the website must be set with HTTPS (Thank you to Johannes Rudloff)
  • When you install mcrypt, you have to enable it and then restart the web server as shown below
    • sudo php5enmod mcrypt
    • sudo service apache2 restart

The documentation is very basic so do not hesitate to contact me or leave a comment if you need some help !

Web interface screenshots
Snap34

Snap36

Snap35

Snap37

94 thoughts on “Audit the Active Directory FREE

  • August 19, 2014 at 08:56
    Permalink

    Hi,

    thanks for the wonderful auditing scripts, but somehow the website stays blank after login and gives me no error message at all. Only errors in apache error log are php notices about undefined variables and indices.
    in the powershell script if I uncomment line 166 there is a missing bracket. shouldn’t there be some kind of loop?

    Best regards and thank you very much for your effort
    Johannes

    Reply
    • August 19, 2014 at 09:29
      Permalink

      nevermind the uncommenting but i had to comment lines 195 – 202 too

      Reply
      • August 19, 2014 at 11:52
        Permalink

        Hello Johannes,

        Do you try to launch the powershell script ? Do you have any error codes or messages ?
        Are you sure you have set the locale to en-us on the machine where you are running the script ?

        Thank you for your feedback

        Reply
        • August 19, 2014 at 12:10
          Permalink

          Hi Nicolas,

          thanks for your fast response. locale is set to en-us. Powershell script ran fine. Only problem is the website for me. The mysql database has been filled nicely with entries, but I have no chance to enter the website. config.ini and @.security file have been configured to our domain but still no success. Are there any other prerequisites to fulfill for apache? I have installed a fresh Ubuntu 14.04 Server with apache2, mysql, php5 and php5-ldap. phpinfo shows ldap enabled

          thanks for your help

          Reply
  • Pingback: Monitor a resource failover on a cluster - shell {&} co

  • September 3, 2014 at 21:38
    Permalink

    I’m having a problem running the powershell script. The error is listed below.

    Get-WinEvent : The specified query is invalid
    At C:\Temp\event_ad.ps1:163 char:22
    + $event = Get-WinEvent <<<< -FilterXml $xml_filter
    + CategoryInfo : NotSpecified: (:) [Get-WinEvent], EventLogException
    + FullyQualifiedErrorId : System.Diagnostics.Eventing.Reader.EventLogException,Microsoft.PowerShell.Commands.GetWi
    nEventCommand

    Reply
    • September 4, 2014 at 15:13
      Permalink

      The script cannot be run directly from the command prompt. You have to follow the whole documentation and create the requested scheduled task to make it work properly. Thank you. Do not hesitate to give me a feedback or if you have another questions.

      Reply
      • September 4, 2014 at 22:55
        Permalink

        Nicolas,

        Thanks for the explanation regarding the powershell script. What would cause 0000-00-00 00:00:00 to be the only data sent from the event collector to the db?

        Reply
        • September 4, 2014 at 23:30
          Permalink

          There is a bug with the powershell cmdlets get-winevent. The locale must be set To en-us. Could you please try ?

          Reply
          • September 5, 2014 at 16:11
            Permalink

            That did the trick. Thank you.

    • February 1, 2017 at 21:28
      Permalink

      What was your solution? I have the same problem that you point out ….?

      Reply
  • September 5, 2014 at 19:06
    Permalink

    Nicolas,

    I want to restrict access to the web portal to a specific AD group. I’ve added this AD group into the @.security file but I’m still able to logon to the web portal with any AD account. I’m I setting AD group access in the wrong place?

    Thanks for all your help,
    Bob

    Reply
    • September 8, 2014 at 14:26
      Permalink

      Bob,

      Could you please send me an email (nicolas.hahang@gmail.com) with the content of your @.security file ? Thank you in advance.

      Reply
      • September 8, 2014 at 22:36
        Permalink

        Nicolas,

        I reboot the portal and authentication is working as expected. Thanks for all your help and sharing this great tool.

        Bob

        Reply
  • Pingback: Audit the Active Directory FREE - shell {&} co

  • Pingback: Audit Active Directory 2 - shell {&} co

  • September 21, 2014 at 22:07
    Permalink

    Hi!

    Ive got a problem, ive installed two instances of this, one on server 2008R2 and one on server 2012 (replacing LAMP with WIMP). The server 2012 works nice but the 2008R2 gives me just a blank website after entering it. Any idea what it might be?

    Reply
    • September 22, 2014 at 08:16
      Permalink

      Hello,
      If you have a blank screen after a successful logon, the cause is probably one of the following :
      – web server has not been restarted
      – the web server is not using https

      Regards

      Reply
      • September 24, 2014 at 00:22
        Permalink

        A follow up question for someone who is not good at PHP… If i don’t want it to use LDAP but defined user/pass from a file, the database or another “non domain” connection to establish a login, how would i go about doing that?

        Reply
  • October 17, 2014 at 20:28
    Permalink

    I am getting a blank page after login in Chrome, and an HTTP 500 Internal Server Error page after login in IE9. I have SSL enabled (and appears to be working) on the site. Any advice?

    Reply
    • October 17, 2014 at 20:51
      Permalink

      I am on Ubuntu 14.04, this is needed:
      sudo php5enmod mcrypt
      sudo service apache2 restart

      Reply
      • May 29, 2015 at 13:59
        Permalink

        i applied mcrypt and restart apache2 and then i cannot logon . before it was no problem, but i had a blank white screen 🙁 … any suggestions?

        Reply
      • May 29, 2015 at 14:15
        Permalink

        Without mcrypt i can login to the webseite with my ad accoount, with installed mcrypt i cant logon and i received no message. can you help me nicolas?

        Reply
        • June 2, 2015 at 07:32
          Permalink

          Hello Heiko,
          Sorry for the late answer. Normally, if you use mcrypt and https protocol it will work as expected. Could you please confirm ?

          Reply
  • Pingback: Active Directory Health Check, Audit and Remediation Scripts

  • March 3, 2015 at 20:36
    Permalink

    I followed the instructions (used a CentOS server because that is what was available) and I am unable to log in to the portal. It keeps saying that login failed. I entered my domain information in the config, and the group within the security file. What else can be checked? Thanks

    Reply
    • March 3, 2015 at 20:44
      Permalink

      Actually, forget that last post. I was able to “login”, but I am getting a white screen and nothing more.

      Reply
      • March 5, 2015 at 10:24
        Permalink

        Hello,

        As discussed, the module php mcrypt is required. I hope everything is working fine.

        Nicolas HAHANG

        Reply
    • March 5, 2015 at 10:24
      Permalink

      Hello,

      As discussed, the module php mcrypt is required. I hope everything is working fine.

      Nicolas HAHANG

      Reply
  • March 16, 2015 at 21:19
    Permalink

    I cannot seem to get events 5136-5141 sent to the DB (at the least show up in the web interface). At first only 5136+ for GPO changes were showing up on the Windows server (the one with the subscription), then I added to the subscription for ObjectClass: or Data=”user”

    After that, in the Forwarded Events log there are events for 5136 relating to user changes, but these events do not show up in the website (GPO events do show up, though) – any advice?

    Reply
  • March 23, 2015 at 11:55
    Permalink

    Congratulations solution, will make life easier for many network administrators in AD logs analysis.
    Are there any plans to extend for file server log analysis.?

    Reply
    • March 27, 2015 at 15:16
      Permalink

      Hello,

      File server audit generates a lot of logs… but the current solution can be used to analyze file server logs. You just have to configure the events id you want… For the moment, I don’t have time but probably in the close future

      Reply
  • May 14, 2015 at 03:00
    Permalink

    Hello,

    i try to deploy this tools for testing.

    However, i was stopped at setup the web GUI. i can’t success login in the portal.

    can i know which module will control user login?

    i have edited the @.security file.

    below is the result:
    CN=Domain Admins,CN=Users,DC=TestAD,DC=test

    but i still can’t login, no matter usinig AD account or local account.

    i am new in Ubuntu system, am i missing some item? please give advice.

    Best Regards,
    Anthony

    Reply
    • June 2, 2015 at 07:47
      Permalink

      Hello Anthony,

      Sorry for the late answer. Can you try to use a DN of an AD object located in an OU and not in a default container ?
      Thank you in advance for your feedback

      Reply
  • May 26, 2015 at 22:56
    Permalink

    Are the events kept forever or there’s a way to auto-prune data after a set period ??????

    Reply
    • June 2, 2015 at 07:36
      Permalink

      Hello Yan,

      Sorry for the late answer. There is no auto-prune function. I’m using this tool since 2012. The database size is about 1GB. But this suggestion could be an interresting enhancement.

      Reply
  • June 2, 2015 at 08:26
    Permalink

    Hello, i could confirm this. I have installed mcrypt and ssl. after install mcrypt i cant logon, no message. nothing. only the logon screen again. no errors on my apache logs. when i remove mcrypt from my server i received a blank white screen after entering the credentials.

    Reply
  • June 20, 2015 at 07:00
    Permalink

    Hi Nic,

    I have install php5-mcrypt but if i type https://servername, it gives me page cannot be found. But if i use http the page opens and after login it gives me blank page. Please help me.

    Thank you

    Reply
  • June 20, 2015 at 07:57
    Permalink

    Nic,

    I configured apache to use ssl..i can login to the portal with https://servername. But when i login with my username and password, i get blank page “Whitepage” mcrypt is install. Am i doing something wrong?

    Thank you.

    Reply
  • June 23, 2015 at 00:55
    Permalink

    Can anyone please help me?

    Reply
    • June 23, 2015 at 05:19
      Permalink

      Hello Steve, sorry for the late answer. This project does not support special character. Can you tell me the content of your security file? Thank you

      Reply
  • June 23, 2015 at 17:01
    Permalink

    Hello Nic, thank you for your reply….I checked the security event filter and was wrong. Was the default. When i copied and past the below it gives me error: The Event log query specified is invalid. Am i doing something wrong?

    Thank you.

    *[(System[((EventID >= 5136 and EventID <= 5139) or EventID=5141)] and EventData[(Data[@Name=”ObjectClass”] and (Data=”organizationalUnit” or Data=”groupPolicyContainer”))]) or (System[(EventID = 5136)] and EventData[(Data=”gPCMachineExtensionNames”)]) or (System[(EventID=4720 or (EventID >= 4722 and EventID <= 4734) or EventID=4738 or EventID=4740 or EventID=4744 or (EventID >=4746 and EventID <= 4749) or (EventID >= 4751 and EventID <= 4754) or (EventID >= 4756 and EventID <= 4759) or (EventID >= 4761 and EventID <= 4763) or EventID=4767 or EventID=4781)])]

    Reply
    • June 23, 2015 at 17:04
      Permalink

      This is the security filter

      *[(System[((EventID >= 5136 and EventID <= 5139) or EventID=5141)] and EventData[(Data[@Name=”ObjectClass”] and (Data=”organizationalUnit” or Data=”groupPolicyContainer”))]) or (System[(EventID = 5136)] and EventData[(Data=”gPCMachineExtensionNames”)]) or (System[(EventID=4720 or (EventID >= 4722 and EventID <= 4734) or EventID=4738 or EventID=4740 or EventID=4744 or (EventID >=4746 and EventID <= 4749) or (EventID >= 4751 and EventID <=4754) or (EventID >= 4756 and EventID <= 4759) or (EventID >= 4761 and EventID <=4763) or EventID=4767 or EventID=4781)])]

      Reply
      • June 23, 2015 at 17:26
        Permalink

        Hello Steve,
        I talk about the file called @.security in the webserver that contains the dn of each group authorized to login. Is it properly filled with no special characters ? The event filter you are talking about can be keep by default.

        Reply
  • June 23, 2015 at 18:33
    Permalink

    Hello Nic, the DN is cn=IT,ou=IT, dc=cyber,dc=com

    Where cn=IT->group name is IT, ou=IT->ou name is IT.

    Thank you.

    Reply
    • June 23, 2015 at 19:32
      Permalink

      Try a login with a bad password, and another with correct credentials and give me the result

      Reply
  • June 23, 2015 at 21:28
    Permalink

    if i try with a bad password, it gives me error: Login Failed! with correct password i get blank page “White page”

    Thank you.

    Reply
    • June 23, 2015 at 21:32
      Permalink

      Can you confirm you are using https? I will send you by email tomorrow some changes to apply to troubleshoot the issue. Regarding the events, is it ok with the script and the database?

      Reply
  • June 23, 2015 at 22:59
    Permalink

    Thank you Nic,

    Yes am using https..https://server_ipaddress. sorry am new to database base . but the settings like database name, table name are correct in the script. i can see the database space usage is 16kb. Again thank you for your usual responds. Will be expecting your email .

    Reply
    • June 24, 2015 at 09:22
      Permalink

      Hello,

      Could you please update the file main.php with these lines and give me the output :
      $acl = array();
      $acl = array_intersect($groupArray[0][“memberof”], $sec_arr_trim);
      $session_timeout = 3600;

      // LINES TO ADD – BEGIN
      echo “—-username : $username—\n”;
      echo “—-acl : “.var_dump($acl).”—\n”;
      echo “—-cookie user : $cookie_user—\n”;
      echo “—-cookie sessid : $cookie_sessid—\n”;
      echo “—-cookie diff : $cookie_diff—\n”;
      echo “—-session timeout : $session_timeout—\n”;
      // LINES TO ADD – END

      auth_check($acl, $cookie_user, $cookie_sessid, $cookie_diff, $session_timeout);

      Thank you

      PS : use chrome browser and open the Developer interface (Inspect element function when you right click on the page)

      Reply
  • June 24, 2015 at 15:36
    Permalink

    Hello below is the out

    accessKey: “”
    attributes: NamedNodeMap
    baseURI: “https://192.168.0.15/index.php”
    childElementCount: 2
    childNodes: NodeList[2]
    children: HTMLCollection[2]
    classList: DOMTokenList[0]
    className: “”

    Reply
    • June 24, 2015 at 15:39
      Permalink

      Could you please send me the beginning of the html result : developer tools – elements tabs to check the output

      Reply
  • July 6, 2015 at 07:39
    Permalink

    Hi. I have a problem with blank screen after login.
    https,crypt,@security is on and correct, but in apache log i have errors:
    Key of size 26 not supported by this algorithm. Only keys of sizes 16, 24 or 32 supported in /var/www/adaudit/index.php on line 50
    line 50 is
    $cookie_crypt = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, session_id(), $username.”,”.time().”,”.session_id(), MCRYPT_MODE_ECB);
    Tried to add debug to main.php and got the same blank page.
    Any suggestions

    Reply
    • July 6, 2015 at 15:09
      Permalink

      Hello Igor, have you run the php5enmod command ?

      Reply
  • July 6, 2015 at 19:47
    Permalink

    Yes. I think problem in my php version it’s to high for this. (5.6.7) I disable mcrypt and rewrite mysql to mysqli. It’s work but now i have some json errors with db. May be if you have time you could update web part for new php.. Anyway thank you!

    Reply
  • August 18, 2015 at 21:20
    Permalink

    Hi,
    I try to add the Log Filter on subscriptio, but show me “The event log query specified is invalid”

    *[(System[((EventID >= 5136 and EventID = 4722 and EventID =4746 and EventID = 4751 and EventID = 4756 and EventID = 4761 and EventID <=4763) or EventID=4767 or EventID=4781)])]

    What is wrong?

    Windows 2008 SP2

    Thanks

    Reply
  • August 18, 2015 at 21:25
    Permalink

    I think the blog supress the content,

    *[(System[((EventID >= 5136 and EventID = 4722 and EventID =4746 and EventID = 4751 and EventID = 4756 and EventID = 4761 and EventID <=4763) or EventID=4767 or EventID=4781)])]

    Reply
    • August 20, 2015 at 07:27
      Permalink

      Hello Augusto,

      You have to copy the filter in the article. It works fine on a server running on Windows Server 2008R2.

      Reply
  • September 28, 2015 at 03:00
    Permalink

    these instructions are so incomplete. Example the sql script does not have the database creation or use line. Had to add the following. There have been other errors I have found too.

    CREATE DATABASE auditad DEFAULT CHARACTER SET latin1 COLLATE latin1_swedish_ci;
    USE auditad;

    Reply
    • September 28, 2015 at 12:28
      Permalink

      Hello Nick,

      Sorry about that. I will be glad to help you and update this documentation. I don’t have a lot of time these days. Thank you for your feedback.

      Reply
  • September 30, 2015 at 07:34
    Permalink

    Hi,
    great work and tnx for sharing. Would you be so kind to give me some hints on how to have it up and running on a windows box with IIS/PHP/MySQL ?
    Regards.

    Red.

    Reply
  • September 30, 2015 at 13:36
    Permalink

    Hi,
    everything up and running on windows box ecxcept for the website 🙁

    PHP Notice: Undefined index: logout in C:\Reports\auditweb\index.php on line 3
    PHP Notice: Undefined index: username in C:\Reports\auditweb\index.php on line 25
    PHP Notice: Undefined index: password in C:\Reports\auditweb\index.php on line 26
    PHP Notice: Undefined index: formage in C:\Reports\auditweb\index.php on line 27
    PHP Notice: Undefined index: oldform in C:\Reports\auditweb\index.php on line 29
    PHP Notice: Undefined variable: failed in C:\Reports\auditweb\index.php on line 91

    Any help greatly appreciated.

    Regards.

    Red.

    Reply
    • September 30, 2015 at 13:45
      Permalink

      Hello Red,

      I don’t have any experience with PHP on IIS web server. Can you try a Windows Apache installation instead of IIS to test ?

      Reply
    • September 30, 2015 at 14:01
      Permalink

      troubles with powershell too 🙁

      PS C:\Mgmtscript\ADaudit> .\event_ad.ps1
      Get-WinEvent : The specified query is invalid
      At C:\Mgmtscript\ADaudit\event_ad.ps1:163 char:10
      + $event = Get-WinEvent -FilterXml $xml_filter
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo : NotSpecified: (:) [Get-WinEvent], EventLogException
      + FullyQualifiedErrorId : System.Diagnostics.Eventing.Reader.EventLogException,Microsoft.PowerShell.Commands.GetWi
      nEventCommand

      You cannot call a method on a null-valued expression.
      At C:\Mgmtscript\ADaudit\event_ad.ps1:175 char:1
      + $eventXML = [xml]$event.ToXml()
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo : InvalidOperation: (:) [], RuntimeException
      + FullyQualifiedErrorId : InvokeMethodOnNull

      You cannot call a method on a null-valued expression.
      At C:\Mgmtscript\ADaudit\event_ad.ps1:176 char:1
      + $domainname = $sourceDC.split(“.”)[1..($sourceDC.split(“.”).length)] -join “.”
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo : InvalidOperation: (:) [], RuntimeException
      + FullyQualifiedErrorId : InvokeMethodOnNull

      You cannot call a method on a null-valued expression.
      At C:\Mgmtscript\ADaudit\event_ad.ps1:177 char:1
      + $domainname_dn = ($domainname.split(“.”) | % { “DC=$_” }) -join “,”
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo : InvalidOperation: (:) [], RuntimeException
      + FullyQualifiedErrorId : InvokeMethodOnNull

      Get-Date : Cannot bind parameter ‘Date’ to the target. Exception setting “Date”: “Object reference not set to an
      instance of an object.”
      At C:\Mgmtscript\ADaudit\event_ad.ps1:223 char:26
      + $datetime_new = get-date $date -format “yyyy-MM-dd HH:mm:ss”
      + ~~~~~
      + CategoryInfo : WriteError: (:) [Get-Date], ParameterBindingException
      + FullyQualifiedErrorId : ParameterBindingFailed,Microsoft.PowerShell.Commands.GetDateCommand

      Exception calling “ExecuteNonQuery” with “0” argument(s): “Incorrect datetime value: ” for column ‘evt_date’ at row 1″
      At C:\Mgmtscript\ADaudit\event_ad.ps1:18 char:2
      + $RowsInserted = $command.ExecuteNonQuery()
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
      + FullyQualifiedErrorId : MySqlException

      Reply
      • September 30, 2015 at 14:14
        Permalink

        The powershell script cannot be started directly from the prompt. You have to create the scheduled task as described in the article

        Reply
        • October 1, 2015 at 07:29
          Permalink

          Hi Nicolas,
          I have IIS running a lot of webapps with php and mysql and I can’t switch to Apache.
          Related to powershell, I understand the need of a scheduled task but if powershell command are not executed correctly runtime how can they work well in a scheduled task ?
          Anyway, the biggest problem seems to be in PHP (index.php)
          PHP Notice: Undefined index: logout in C:\Reports\auditweb\index.php on line 3
          PHP Notice: Undefined index: username in C:\Reports\auditweb\index.php on line 25
          PHP Notice: Undefined index: password in C:\Reports\auditweb\index.php on line 26
          PHP Notice: Undefined index: formage in C:\Reports\auditweb\index.php on line 27
          PHP Notice: Undefined index: oldform in C:\Reports\auditweb\index.php on line 29
          PHP Notice: Undefined variable: failed in C:\Reports\auditweb\index.php on line 91

          Is there any special configuration I need to do for Active Directory ?

          Regards.

          Red.

          Reply
          • October 1, 2015 at 07:41
            Permalink

            This solve the the PHP part

            $message = $_GET[‘message’];
            to this:
            $message = isset($_GET[‘message’]) ? $_GET[‘message’] : ”;

            Red.

          • October 1, 2015 at 07:54
            Permalink

            Great. Thank you for this feedback… and sorry for my bad support 🙂

  • October 4, 2015 at 18:54
    Permalink

    I thought I worked out all my bugs but now I am not getting data written to the database. In the auditad2 task i am getting Task Scheduler launched “{0000000-0000-0000-00000000000} instance of task “\auditad2” according to event trigger.

    Has anyone else had any issues writing to the mysql db. I am doing a tcpdump on the lamp server and i have verified that it is connecting, but no data in the table. Oh i verified the ps1 script to make sure i had the table name correct

    Reply
    • October 6, 2015 at 09:23
      Permalink

      From the above discussion, it should be:

      “There is a bug with the powershell cmdlets get-winevent. The locale must be set To en-us. Could you please try ?”

      Reply
  • October 6, 2015 at 09:47
    Permalink

    Really unable to solve PHP related errors

    PHP Notice: Undefined variable: chk_username in C:\Reports\auditweb\main.php on line 17
    PHP Notice: Undefined variable: user_input in C:\Reports\auditweb\main.php on line 17
    PHP Notice: Undefined variable: sessid_input in C:\Reports\auditweb\main.php on line 17
    PHP Notice: Undefined variable: chk_sess_id in C:\Reports\auditweb\main.php on line 17
    PHP Notice: A session had already been started – ignoring session_start() in C:\Reports\auditweb\main.php on line 3

    Red.

    Reply
  • February 17, 2016 at 08:30
    Permalink

    Hi, Just got my system successfully scanned and the result was great. Thanks for sharing this wonderful tool.

    Reply
    • February 17, 2016 at 13:47
      Permalink

      Thank you for your comment. Appreciate 😉

      Reply
  • March 8, 2016 at 16:04
    Permalink

    Hi! I managed to get it working on Windows Server 2012 R2.

    – I can access de website, with defined security groups (Domain Admins)
    – Collector working. I enter the event viewer and see the events of the domain controller
    – Powershell script does run as a scheduled task, no errors shown there.
    – Powershell script edited with the route for MySQL: LoadFrom(“C:\Program Files (x86)\MySQL\MySQL Connector Net 6.9.8\Assemblies\v2.0\MySQL.Data.dll”)
    – Also edited the options for user, pass and IP.

    It does not populate the MySQL database at all. Size always the same, even when I can see the forwared events on the collector.

    One thing: Collector, IIS Server and MySQL are the same Server. Everything running on the same box.

    Any Idea?

    Thanks a lot.

    Reply
  • October 6, 2016 at 19:33
    Permalink

    Hi nicolas, in the firts congrat with tutorial, the project looks god. I have some issues because in really.. not work’s for me.

    Not work’s when i put de user in the portal. i follow the all steps i installed in the centos versión but is the same.
    Uncompress the archive webside on the LAMP server inside of the html folder and then install mcrypt module but not works. If i try acces by https not works if try access by http the page works but not validate the AD accounts.

    can you help please?

    Best regards!

    Reply
    • October 10, 2016 at 13:24
      Permalink

      Hello Jay,

      I will contact you with your email to find with you what kind of problem you have.

      Cheers
      Nico

      Reply
  • October 10, 2016 at 11:23
    Permalink

    Hellow,

    thank’s for the manual, good job. I have a some issue.. i can access to the portal but when in find any log.. the portal remain in Loading.. forever.. and Showing 0 to 0 of 0 entries. Do you know why i have this issue?

    Thanks a lot

    Method

    Reply
    • October 10, 2016 at 13:25
      Permalink

      Hello,

      I will contact you with your email to find with you what kind of problem you have.

      Cheers
      Nico

      Reply
      • October 11, 2016 at 07:55
        Permalink

        Thanks Nicolas,

        FOr now i can’t find the solution, seems that everything is good but not works.. 🙁

        Reply
        • October 17, 2016 at 14:28
          Permalink

          Hi Nico,

          I’m checked the process from the Beginning.. but i can’t find the solution.. how i did.. when i enter inside de portal seems everything ok, i can validate from ad with group portal 1. But when execute the query the screen remains “Loading” forever..

          Any idea?

          Kind Regards

          Reply
  • October 14, 2016 at 16:37
    Permalink

    Hi, If I want to add events, like for example events ID 4741, 4742 and 4743, I have to modify the XML and ps1 script and thats it?
    Thanks!

    Reply
  • February 1, 2017 at 01:26
    Permalink

    Sorry, I have this problem in the event collector ” StdErr=[Import-Module : The specified module ‘Activedirectory’ was not loaded because no valid module file was found in any module directory.At C:\PROGRA~3\ACTIVE~1\NETWOR~1\Scripts\MONITO~2\EVENTS~1.PS1:35 char:14+ import-module <<<< Activedirectory + Catego…]"

    Reply
  • March 24, 2017 at 15:09
    Permalink

    Hi, Just got everything installed and I can get to the web page using https but every login says failed. This is the last part that I cannot get working. I have a feeling it is with my config but not sure what it is.

    I have a 2012 R2 server as the collector and the logs are being forwarded successfully. The database is on CentOS 7 and is also getting populated as I can see the rows in phpmyadmin.

    Any assistance would be great.

    Thanks

    Reply
  • March 24, 2017 at 20:10
    Permalink

    Hi,

    I am not sure what I am doing wrong but no matter what config I do the web, I always get ‘Login Failed!’.

    I originally had the web server on CentOS but moved it to Ubuntu thinking it was something there but I have the same issue. I am not sure if my config is 100% correct in terms of what the adldap connection needs. Any insight would be appreciated.

    Thanks

    Reply
    • March 24, 2017 at 20:47
      Permalink

      Hello Russ,

      I was not available these days. If you are ok, I can propose to contact you on Monday.

      Regards
      Nico

      Reply
      • March 27, 2017 at 12:40
        Permalink

        That is fine with me. Did not realize that I had posted twice. You can contact me via email, that is no problem. Thanks

        Reply
  • May 31, 2017 at 02:52
    Permalink

    Can someone explain how to configure the website on the LAMP server? Where are folders copied too? No documentation, etc????

    Reply
    • June 1, 2017 at 05:46
      Permalink

      Hello Steve, thank you for your message. I will try to answer your questions and to install properly this tool. I send you an email. Regards

      Reply
  • September 17, 2017 at 01:14
    Permalink

    i am getting home page using http. where after deploying SSL certificate in CEntOS 7, https://Servername it appears as page cannot be displayed.

    Moreover io.security file contains CN=Users,DC=mydomain,DC=local.

    Please advise

    Reply
  • September 30, 2017 at 12:48
    Permalink

    Hi Nicolas HAHANG,

    Deployed Script in Windows 2012 and CentOS7 with https. I am not able to login to portal using AD credentials. It says login failed. Mycrypt also installed.

    Please help to resolve the issue.

    Reply
  • October 3, 2017 at 16:39
    Permalink

    Where does the auditweb.tar.gz contents need to reside on an Ubuntu 16.04 server?

    Reply
    • October 16, 2017 at 14:46
      Permalink

      Hello George,

      A new version has been uploaded to the website. Please use this new version and extract the content in the folder /var/www/html/
      This is the default web server root folder in Ubuntu 16.04

      Do not hesitate to contact me in case of problem.

      Cheers
      Nico

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *