Active Directory change logging / auditing



  • I know that there are several discussions on here regarding if AD is needed. Please refrain from telling me to burn it all with fire as that's not an option 😉

    I've been tasked with looking at options for audit trails for changes within our AD, particularly with regards to user account modifications and was wondering what (if anything) folks on here are using and would recommend or caution against.

    In the paid / commercial corner I've seen :

    • ManageEngine ADAudit +
    • Netwrix Auditor

    In the community / open-source / roll-your-own corner:

    • Graylog
    • Wazuh ???

    For ease of use and peace of mind ManageEngine is a top contender, but of course is $$$. Graylog looks promising but appears to put all of the security heavy-lifting on the admin, which is certainly do-able but makes it a bit less interesting if there's another option.



  • Manage Engine is very good, but expensive.

    Wazuh is freaking amazing, but it does take some expertise to use.

    So IMO both are really great solutions. Depending on whether you have time or money.



  • @notverypunny said in Active Directory change logging / auditing:

    For ease of use and peace of mind ManageEngine is a top contender, but of course is $$$. Graylog looks promising but appears to put all of the security heavy-lifting on the admin, which is certainly do-able but makes it a bit less interesting if there's another option.

    I think that you are looking at the good options. ME is good, and costly. Wazuh gives you the powerful, robust option but requires a lot more work on your end. That's pretty much the main decision options right there.



  • @IRJ Does Wazuh have anything built-in or available for keeping tabs on AD? They seem to have an open enhancement request for it https://github.com/wazuh/wazuh/issues/3878



  • @notverypunny said in Active Directory change logging / auditing:

    @IRJ Does Wazuh have anything built-in or available for keeping tabs on AD? They seem to have an open enhancement request for it https://github.com/wazuh/wazuh/issues/3878

    You wont find any fancy dashboards for AD out of the box.

    You will need to create dashboards based off rules
    https://github.com/wazuh/wazuh-ruleset/blob/master/rules/0220-msauth_rules.xml

    All the rules are there, but you will need to create your own correlations for those rules. If you are looking to create triggers or alerts based off those rules you can do that pretty easily with wazuh. If you would also like to have custom dashboards you can also create them to fit your needs. It's really powerful, but requires time to get it where you want it to be.



  • @IRJ maybe a deep dive at the next MC?



  • Netwrix works well. I know people that have purchased it and love it.



  • @notverypunny said in Active Directory change logging / auditing:

    I know that there are several discussions on here regarding if AD is needed. Please refrain from telling me to burn it all with fire as that's not an option 😉

    I've been tasked with looking at options for audit trails for changes within our AD, particularly with regards to user account modifications and was wondering what (if anything) folks on here are using and would recommend or caution against.

    In the paid / commercial corner I've seen :

    • ManageEngine ADAudit +
    • Netwrix Auditor

    In the community / open-source / roll-your-own corner:

    • Graylog
    • Wazuh ???

    For ease of use and peace of mind ManageEngine is a top contender, but of course is $$$. Graylog looks promising but appears to put all of the security heavy-lifting on the admin, which is certainly do-able but makes it a bit less interesting if there's another option.

    I don't see any requirements listed in your OP besides the bolded, so why isn't the built-in auditing option not a consideration? That logs/audits all AD changes, and you can forward them to somewhere else as well, which is a standard best practice.



  • @Obsolesce This is what got me looking at graylog, and it's still on the table, just wondering if there are other options that I'm not considering.



  • @JaredBusch said in Active Directory change logging / auditing:

    Netwrix works well. I know people that have purchased it and love it.

    The product looks good, but from an IT perspective I don't like the licensing as it's on a per AD user model, (which IT has no control over) whereas ManageEngine is based on a per DC model which is much easier to manage.



  • @Obsolesce said in Active Directory change logging / auditing:

    @notverypunny said in Active Directory change logging / auditing:

    I know that there are several discussions on here regarding if AD is needed. Please refrain from telling me to burn it all with fire as that's not an option 😉

    I've been tasked with looking at options for audit trails for changes within our AD, particularly with regards to user account modifications and was wondering what (if anything) folks on here are using and would recommend or caution against.

    In the paid / commercial corner I've seen :

    • ManageEngine ADAudit +
    • Netwrix Auditor

    In the community / open-source / roll-your-own corner:

    • Graylog
    • Wazuh ???

    For ease of use and peace of mind ManageEngine is a top contender, but of course is $$$. Graylog looks promising but appears to put all of the security heavy-lifting on the admin, which is certainly do-able but makes it a bit less interesting if there's another option.

    I don't see any requirements listed in your OP besides the bolded, so why isn't the built-in auditing option not a consideration? That logs/audits all AD changes, and you can forward them to somewhere else as well, which is a standard best practice.

    Isn't the first step to using any of the listed options to do exactly that - local logging -which forwards those logs into a centralized system, where reports are run to generate alerts?



  • @notverypunny said in Active Directory change logging / auditing:

    @JaredBusch said in Active Directory change logging / auditing:

    Netwrix works well. I know people that have purchased it and love it.

    The product looks good, but from an IT perspective I don't like the licensing as it's on a per AD user model, (which IT has no control over) whereas ManageEngine is based on a per DC model which is much easier to manage.

    Sure there's a difference there - but depending on pricing per user could still make sense - after all, this is an expense that having users is bringing you - just like the expense of a computer, of an email account, of a phone, etc.



  • @Dashrender said in Active Directory change logging / auditing:

    @Obsolesce said in Active Directory change logging / auditing:

    @notverypunny said in Active Directory change logging / auditing:

    I know that there are several discussions on here regarding if AD is needed. Please refrain from telling me to burn it all with fire as that's not an option 😉

    I've been tasked with looking at options for audit trails for changes within our AD, particularly with regards to user account modifications and was wondering what (if anything) folks on here are using and would recommend or caution against.

    In the paid / commercial corner I've seen :

    • ManageEngine ADAudit +
    • Netwrix Auditor

    In the community / open-source / roll-your-own corner:

    • Graylog
    • Wazuh ???

    For ease of use and peace of mind ManageEngine is a top contender, but of course is $$$. Graylog looks promising but appears to put all of the security heavy-lifting on the admin, which is certainly do-able but makes it a bit less interesting if there's another option.

    I don't see any requirements listed in your OP besides the bolded, so why isn't the built-in auditing option not a consideration? That logs/audits all AD changes, and you can forward them to somewhere else as well, which is a standard best practice.

    Isn't the first step to using any of the listed options to do exactly that - local logging -which forwards those logs into a centralized system, where reports are run to generate alerts?

    You don't need additional software to do any of that.



  • @notverypunny said in Active Directory change logging / auditing:

    @JaredBusch said in Active Directory change logging / auditing:

    Netwrix works well. I know people that have purchased it and love it.

    The product looks good, but from an IT perspective I don't like the licensing as it's on a per AD user model, (which IT has no control over) whereas ManageEngine is based on a per DC model which is much easier to manage.

    Is there a reason IT should have control over that? All IT expenses are just business expenses anyway. Just make it a per-seat cost like other per-seat costs. You already have to pay for Windows, Office, CALs, and whatever else "per seat", it's just another line item for whoever is paying for those.



  • @scottalanmiller said in Active Directory change logging / auditing:

    @notverypunny said in Active Directory change logging / auditing:

    @JaredBusch said in Active Directory change logging / auditing:

    Netwrix works well. I know people that have purchased it and love it.

    The product looks good, but from an IT perspective I don't like the licensing as it's on a per AD user model, (which IT has no control over) whereas ManageEngine is based on a per DC model which is much easier to manage.

    Is there a reason IT should have control over that? All IT expenses are just business expenses anyway. Just make it a per-seat cost like other per-seat costs. You already have to pay for Windows, Office, CALs, and whatever else "per seat", it's just another line item for whoever is paying for those.

    So why dig a deeper grave?



  • @Obsolesce said in Active Directory change logging / auditing:

    @scottalanmiller said in Active Directory change logging / auditing:

    @notverypunny said in Active Directory change logging / auditing:

    @JaredBusch said in Active Directory change logging / auditing:

    Netwrix works well. I know people that have purchased it and love it.

    The product looks good, but from an IT perspective I don't like the licensing as it's on a per AD user model, (which IT has no control over) whereas ManageEngine is based on a per DC model which is much easier to manage.

    Is there a reason IT should have control over that? All IT expenses are just business expenses anyway. Just make it a per-seat cost like other per-seat costs. You already have to pay for Windows, Office, CALs, and whatever else "per seat", it's just another line item for whoever is paying for those.

    So why dig a deeper grave?

    Why not lay out exactly what you are talking about, what you consider the option to be?



  • @Dashrender said in Active Directory change logging / auditing:

    @Obsolesce said in Active Directory change logging / auditing:

    @scottalanmiller said in Active Directory change logging / auditing:

    @notverypunny said in Active Directory change logging / auditing:

    @JaredBusch said in Active Directory change logging / auditing:

    Netwrix works well. I know people that have purchased it and love it.

    The product looks good, but from an IT perspective I don't like the licensing as it's on a per AD user model, (which IT has no control over) whereas ManageEngine is based on a per DC model which is much easier to manage.

    Is there a reason IT should have control over that? All IT expenses are just business expenses anyway. Just make it a per-seat cost like other per-seat costs. You already have to pay for Windows, Office, CALs, and whatever else "per seat", it's just another line item for whoever is paying for those.

    So why dig a deeper grave?

    Why not lay out exactly what you are talking about, what you consider the option to be?

    Because I'm not an IT buyer and don't just buy the first turn-key product with a pretty web interface I find. I can see the appeal, especially for a smb with no staff, or an MSP with no time. The thing is, for those solutions, you may end up doing and maintaining more in the end anyways. Not always, but depending on the environment and how it changes over time. Yeah, maybe a turn key solution is best, I don't know the environment at all, just one requirement, which is literally no need for third party product and can be completed in an hour, without needing much if any maintenance.


Log in to reply