Re: ADAM Security Logging
- From: drm <don.mai@xxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 30 Dec 2008 08:59:24 -0800 (PST)
On Dec 24, 2:46 pm, drm <don....@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
On Dec 23, 7:43 pm, "Lee Flight" <l...@xxxxxxxxxxxxxxx> wrote:
Hi
I do not think that the Field Engineering event log entries will populate
the User column of the ADAM instance event log for a native ADAM
user - I think they need a windows security principal (context) for that.
To get a security log audit when a native ADAM user connects to
an instance you need "Audit account logon events" enabled in
the server security policy of the server housing the instance.
However you would then have to try and correlate those entries
to the Field Engineering logging.
Beyond that options are directory services audit by setting a SACL
but that would audit all accesses with no regard to thresholds and
off the top of my head I cannot recall the status of audit for native
ADAM users.
Further input from me will likely be delayed due to holidays,
Lee Flight
"drm" <don....@xxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:112b1028-dd7a-4d4f-b790-077345d0719c@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
The applications in our location that use our ADAM directories should
return a limited number (less than 20) of entries per query. We would
like to log every query that exceeds that amount. By changing the
Field Engineering Diagnostics setting to 5 and adding a Expensive
Search Results Threshold Parameter, I was able to log the query
information. This works great when an AD account ran the query, since
the account shows up next to User: in the log entry. Unfortunately,
no user information appears when the query is ran using an ADAM
account. I tried changing different parameters to get the login/
binding information to appear in the Event Logs with no luck. Is
there a special parameter that I need to add to create a log entry
whenever someone authenticates to an ADAM directory with an ADAM
account? Is there some other way to determine who submitted the query?- Hide quoted text -
- Show quoted text -
Thanks. Unfortunately, I need someone on our server management team
to change the domain security policy for our ADAM servers and this
will not happen until next week.
A not-to-distant future project involves using SEIM tools. Hopefully
I can use that to correlate the security logs and the Field
Engineering logs or at least limit the search.- Hide quoted text -
- Show quoted text -
I checked the log entries after the security policy was updated and no
logs were generated. Do I need to change a registry setting or add a
parameter like I did for the query?
While checking this out, I noticed some Success Audit security log
entries with an Event_ID of 697. These show up on the test box I am
using and on another server with an ADAM instance where the security
policy was not changed. I traced the activity to a monitoring tool
that queries the directory to verify that it is functioning properly.
The Username in the log is the service account not the ADAM account.
According to the security policy on that box, it only creates a
success log on Audit account management.
.
- Follow-Ups:
- Re: ADAM Security Logging
- From: Lee Flight
- Re: ADAM Security Logging
- From: drm
- Re: ADAM Security Logging
- References:
- ADAM Security Logging
- From: drm
- Re: ADAM Security Logging
- From: Lee Flight
- Re: ADAM Security Logging
- From: drm
- ADAM Security Logging
- Prev by Date: Re: ADAM Security Logging
- Next by Date: LDS 2008 questions for 2003 AD and 2008 AD forest trust
- Previous by thread: Re: ADAM Security Logging
- Next by thread: Re: ADAM Security Logging
- Index(es):
Relevant Pages
|
Loading
