Security

We are testing STRM. We currently have our Domain Controllers reporting to two different sources. One is a RSA Envision SIEM and one is STRM. We created a report for account lockouts that looks for event id 4740. STRM is missing events. We see lockouts in envision that do not show up in STRM. Not a lot mind you, but its disconcerting to say the least. I checked the raw logs and the even just doesnt arrive at STRM.

Any thoughts, can anyone point me in the right direction ?

Hi jickfoo,

Which Log Integration did you pic for Active Directory Server?

Maybe you can have a TCPDUMP an compare if the exact same messages are arriving at both ends (if you're using syslog).

Else it will be a bit more of work 🙂

Hint: Be sure you have the same policy for log forwarding on both products! (STRM/RSA)

Regards

NULL

Thanks Null,

Yes, the policies are the same. We are using WinCollect on a member server to pull logs from the Domain Controllers. After digging a bit in the directories of the Wincollect server we found these entries:

2014-04-29 02:29:01,166 WARN  Device.WindowsLog.EventLog.10.10.X.10.Security.Read : Reopening event log due to falling too far behind (approx 138301 logs skipped).

2014-04-29 02:35:37,876 WARN  Device.WindowsLog.EventLog.10.10.X.10.Security.Read : Reopening event log due to falling too far behind (approx 208935 logs skipped).

Lots and Lots of them. We found a few similar complaints online and realized that we are backleveled a bit in the WinCollect Code. We're going to upgrade and try from a different box.

Thanks,

Justin

http://www-01.ibm.com/support/docview.wss?uid=swg21672193

Good article on tuning Wincollect for Domain Controllers. Fixed our issues.