Table of Contents This document: Record label and: WINDOWS_AD Chronicles Analyzer maintains community Microsoft Windows Server build logs. Chronicle Analyzer supports logs collected by NXLog Community or Enterprise. The history analyzer will definitely parse and normalize the data returned from This table lists the recommended items required for deployment. Chronicle is installed on a central Microsoft Windows or Linux server via a redirector
Special conditions. Pre-GA features may have limited support and modifications, and pre-GA features may not be compatible when using other pre-GA releases.
See Chronicle Support Recommendations for more information.
and special conditions of the Service Chronicle.
Preview
Configuration that generates the logs supported by Chronicle Analyzer
for Microsoft https://userchronicles.com Active Directory events. You can find an overview in Chronicles
For information about receiving data, see the section “Receive data” in the Chronicle.
to the fields of the Chronicle unified data model.Supported Versions And Devices
Microsoft Windows Server comes with the following themes: Foundation, Essentials,
Switch and data center. Schema Registration Script Generated by Parallel Inference
no different.
output.Supported Protocol Types
user context
what is it
asset context. Logs are supported by generated English text and are not
supported by magazines created in languages other than English.Deployment Architecture
Microsoft Windows Event Purchase Architecture. Each client will almost certainly have a different deployment.
this representation and is likely to be more complex. The following is usually required:
Time zone.
Gather USER_CONTEXT and ASSET_CONTEXT data.
Microsoft Windows or Linux server.
Move log entry to Chronicle.
Setting Up Microsoft Devices
Configure Windows AD Server
Steps for configuring Microsoft Windows AD Servers on your architecture:
- Set up all systems with UTC workspace.
- Create and configure one on each Windows Microsoft Active Directory server.
Zero Powershell program to collect log data for each output file. NXLog reads information
Creates and sends data to a Microsoft Windows or Linux master server. -
Create any powershell script. See example below. change it
$OUTPUT_FILENAMEvalue relative to where the output database should be
letter. This file will still be read by NXLog. Data needs to be stored a bit more in JSON
Format. Set encoding to path to utf8. Instead usefilterlike
-LDAPFilterdespite callingGet-ADUserand
CmdletsGet-ADComputer.# Specify where to write the log file $OUTPUT_FILENAME="" If (Test-Path -Path $OUTPUT_FILENAME) Remove-Item -path $OUTPUT_FILENAME -ErrorAction SilentlyContinue # USER_CONTEXT: translates all Active Directory users into their properties. Get-ADUser -Filter * -properties samAccountName | % ConvertTo-JSON -compression # ASSET_CONTEXT: Retrieves all Active Directory assets with their properties. Get-ADComputer -Filter * -properties samAccountName | % ConvertTo-JSON -compression -
Create a recurring pro task that runs an illegal program to extract and write important information.
output file.- Open the Task Scheduler application.
- Click “Create a task” in the appropriate area.
- Enter the desired task name and description.
-
Check “Run with highest privileges” to
all important information is restored. -
On the Triggers tab, specify when you want to repeatdo this task.
-
On the Action tab, add a new action and expand the action scope.
the file where the script will be saved.
-
Install the NXLog agent on a single Microsoft Windows Active Directory server. application
This redirects the logs to the main Microsoft Windows or Linux servers.
keep an eye on it
NXLog documentation. -
Create a configuration file for each individual instance of NXLog. Using NXLog
im_file with
The module reads the file and breaks the lines into fields. v
Om_tcp usage module
Move the data to be transferred to a central Microsoft Windows or Linux server.Here is an example build of NXLog. Replace
Destination City Information Values Microsoft Windows or Linux
Server. In thesection, above thisFileproperty, add the file
The path to the output log file written with the powershell script. Always Organize
DirCheckIntervalandPollInterval. If they are definitely not installed, NXLog
Requests for electronic files every 1 second.
define ROOT C:\Program Files\nxlog setupGo to ADCONTEXT_OUTPUT_DESTINATION_ADDRESSSet ADCONTEXT_OUTPUT_DESTINATION_PORT Modules directory %ROOT%\modules CacheDir %ROOT%\data PID FILE %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data Log file %ROOT%\data\nxlog.log im_file module File " " Dircheckinterval 3600 Polling interval 3600 om_tcp module node %ADCONTEXT_OUTPUT_DESTINATION_ADDRESS% Port %ADCONTEXT_OUTPUT_DESTINATION_PORT% path in_adcontext => this out_chronicle_adcontext -
Start the NXLog service on both systems.
Setting Up A Microsoft Windows And Linux Central Server
See See Installing and configuring forwarding on Linux.
or Install and configure call forwarding in Microsoft Windows
for more information on installing and configuring the entire redirector.
- Set up the system with UTC time zone.
- Install the Chronicle redirector from a Microsoft Windows or Linux central server.
-
Set up Chronicle forwarding to link logs to Chronicle.
Here is the instance forwarding configuration.- syslog: together: included: true Data type: windows_ad package_n_seconds: 10 lot_n_bytes: 1048576 TCP address: 0.0.0.0:10518 connection_timeout_sec: 60
Field Mapping Reference: Procedure Fields To Event UDM Fields
The Once section describes how the parser used Microsoft Windows Active Directory in biblical times.
The Fields event on the way to the Chronicle Unified Data Model Specialties event.
User Context Logs