This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA NetWitness® Platform Discussions

Discussions about the RSA NetWitness Platform.
AlexColella
Beginner
Beginner
‎2015-01-23 12:27 PM

Logging events from a w2k12 DC?

Running into an issue, we have a DC that we want system logs etc pulled into SA.  The issue of course is Domain Controllers do not contain local user/groups.  Is there an easy work around without major administrative work to get this functioning on a DC we want logs from?  I would like to hear what others have done in similar scenarios. Thanks!

0 Likes
Reply
3 Replies
AlexColella
Beginner
Beginner
‎2015-01-26 09:11 AM

Someone must have come across this type of issue while implementing this?

0 Likes
Reply
ChrisThomas
Occasional Contributor Occasional Contributor
Occasional Contributor
‎2015-01-27 09:59 PM

Collecting events from a Domain Controller is very common.

Have you reviewed the configuration steps here? http://sadocs.emc.com/@api/deki/files/43167/MicrosoftWindowsEventing.pdf

0 Likes
Reply
AlexColella
Beginner
Beginner
‎2015-01-28 09:29 AM

I've reviewed the document, it's expected that the service account be added to the local Log Readers group.  As you know, this can't be done on DC's since local users and groups do not exist.  Hence the only way I can think of doing this is using the domain log readers group and having the potential risks of additional access.

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.