Over 1 million tech questions and answers.

Configuring Event Log Forwarding for 2012 R2 Core Domain Controllers

Q: Configuring Event Log Forwarding for 2012 R2 Core Domain Controllers

Can Microsoft please provide methodology for setting up Windows Event forwarding (Sender initiated) for a Domain Controller based on a Windows Server 2012 R2 Core installation? Unfortunately all of your documentation relies on using the local Event
Viewer GUI to set this up. Connecting Event Viewer from a full Server 2012 installation to a Core Installation loses this ability entirely. The only option I've tried to employ so far leverages an .xml file, but I am not sure it is working correctly.

Please note: this is for Windows Security Event ID 4776 ingestion.

Read other answers
RELEVANCY SCORE 200
Preferred Solution: Configuring Event Log Forwarding for 2012 R2 Core Domain Controllers

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

RELEVANCY SCORE 82

After the 1.9 upgrade we got an Timeline event about Brute Force attacks.
When investigating and looking at Event Logs >Security I started to panic when noticing 4776 errors against user: "administrator" and the source workstation was always a domain controller.
This would happen every few seconds.  Stopping the ATA gateway service on the domain controllers stopped this behaviour.
Any ideas or recommendations?
Thanks
The computer attempted to validate the credentials for an account.

Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:    [email protected]
Source Workstation:    DC4
Error Code:    0xc0000064

Read other answers
RELEVANCY SCORE 74

Hello,
I've also tried changing the locale to en-us but the Application logs still don't show properly. 
Any thought please?
Many thanks in advance

Read other answers
RELEVANCY SCORE 65.2

Hi
Event Collector  - > Windows 2012 
Event Source -> Windows 7
Event Subscription (log forwarding) Security logs not forwarding

I'm evaluating the Event Forwarding of Windows
I able to received Event from r Application and System
Unfortunately, I' not able to get events from security
Please advise why I'm not getting the event for security




Robert

Read other answers
RELEVANCY SCORE 64.4

Hello. I'm running Windows 7, 64-bit on an Intel Corei32100T processor on a Gigabyte H67A motherboard with 8gb ram, connected via HDMI to a Sony Bravia. No sound or video card as its all on the processor. I want to set up the system to record a line-in source for (1) my turntable and mixer, and (2) interface for my guitar and microphone. My device manager shows both Intel(R) display audio and Realtek HD audio. Clicking on the speaker icon in the notification area brings up the Intel display audio mixer with three sources, the Sony, system sounds and Firefox. I'm sure this is controlling the system audio output. No way to a recording mixer. Bringing up the Realtek audio manager still shows me no way to set recording levels.
Since I'm planning to use the pc for recording LP to disc (on my second thousand, now, switching from favorite old programs on an XP machine to the newly built system)and for live recording, I would really appreciate any assistance in properly setting up the basic sound paths in the system before setting up Audacity and Artist One from Presonus.
Thanks, in advance, and best of the New Year to all at this GREAT site!

A:configuring system with two sound controllers installed.

First issue, you can only have one "default" audio playback device - and thus whatever device is the default is what will playback either through the attached PC speakers or if you have the HDMI cable connected then through the HDMI.

I have a home recording studio with Sonar (X1) and I have an MAudio Fastrack Ultra 8R USB connected recording interface unit. When I'm recording with Sonar I only use the Fastrack Ultra 8R, I do not use the PC's sound device.

The first question, how are you connecting the turntable? Does it have built in RIAA equalization or are you connecting to a "phone" input on a stereo amp that has the built in RIAA EQ? You must have the RIAA preamp somewhere as that is needed to expand the recordings back to full fidelity.

I don't see any "Artist One" on the Presonus site. I do see "Studio One" recording software.

You really need a separate recording interface device, the PC sound card is not going to work properly. First, it requires a hotter signal (close to "line level") and a guitar output is low level "instrument level". Also, in order to play a record and record at the same time also really requires a separate recording interface device that you can connect the stereo line out (or an RIAA preamp out) into one channel on the recording interface and another input for the guitar.

There are many recording interface units from MAudio, Presonus, Focusrite, etc. Some hav... Read more

Read other 5 answers
RELEVANCY SCORE 62

We have a primary and secondary domain controller on our network. We use a windows 2000 exchange server as our primary controller and another server as our secondary controller. to start, the active directories are not the same, as they should be between the two servers. how do i fix that?

the other problem I am starting to have is that the Windows xp client machines can't find the domain after being rebooted. I end up having to rejoin the domain in order to get the client machines to log on. If the client logs off, without rebooting, logging back onto the domain is no problem. I think this has something to do with the clients trying to log onto the secondary controller for some reason, and since the active directories arent sync'd, its only causing more problems...can anyone shed some light on the subject? thanks.
 

A:Domain Controllers

Hey DVation, sounds like you need to force replication for Active Directory between your Primary and Secondary domain controllers. Only members of Domain Admins or Enterprise Admins groups can perform this function unless you have been delegated the appropropriate permissions.
Refer to the following link for details:
http://www.microsoft.com/technet/tr...2003/proddocs/entserver/dssite_force_repl.asp
***********
As far as your XP machines go, make sure that your DNS suffix for each PC is correct and that your IP, DNS, and Gateway addresses are correct. Windows 2000/XP use DNS for name resolution in an Active Directory environment. Also, is Active Directory running in Mixed Mode or Native Mode?
 

Read other 3 answers
RELEVANCY SCORE 62

I have quite a number of DC's and the configuration of port mirroring is something that we just cant take on.

I understand there is going to be a release of ATA where the port mirroring is not a requirement and an agent will take that role on the DC.

Anyone heard of this?

Read other answers
RELEVANCY SCORE 62

Hi Just installed the latest version of Windows 2003 for Small Business (Sp1)

I have installed this OS on a new Fujitsu PRIMERGY TX150 S4.

Now I want just to use this Server as a server on a Workgroup. But the OS insists that it should be the Domain Controller. And then it just shuts it self down. Below is a log from the event viewer. Is there a way around this or will I have to bow down to the might of Microsoft. Just don't really want to configure the entire Lan from workgroup to Domain
Event ID 1014
Source SBCore

This computer must be configured as a domain controller. It will be shut down in 30 minutes. To prevent this computer from shutting down, run Setup on the disk that you used to install the operating system to configure the computer as a domain controller.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
 

A:Domain Controllers - Can anyone help please

Read other 8 answers
RELEVANCY SCORE 61.2

Hope this belongs here............

I have some questions regarding changing the hardware in my domain controller. Im basically rebuilding it with new Processor, RAM, Mobo, etc.
Its just a desktop computer running Windows Server 2003. I plan to keep all the names of the machine and IP/domain the same. Is there anything I need to lookout for by doing this? I dont want to lose my active directory and user accounts on the machines that rely on this domain controller. Can I just build the new server, set it up as a domain controller with all the same settings and the computers will be aable to log into the new controller with the same users?
 

A:Changing Domain Controllers

Read other 6 answers
RELEVANCY SCORE 61.2

Actually, I have 2 DC's 1 Threat Management Gateway, 1 Windows Server (Web Server), 1 Windows Storage Server, 2 Exchange servers and 1 Sharepoint Server and 2 Hyper-V servers. ALL Running Server 2008 R2

Should I be upgrading any of these to SP1?

A:Upgrade Domain Controllers to SP1 or not

Hello Abuttino,

I would recommend to wait until the "official" SP1 RTM is released by Microsoft sometime this first quarter of 2011. Afterwards, it should be available in Windows Update, and for download (standalone version) directly from Microsoft.

Hope this helps,
Shawn

Read other 2 answers
RELEVANCY SCORE 61.2

I have only got 2 domain controllers on my network, the primary server deals with all my DNS, file charing etc, server2 is our proxy server but also doubles up as a backup domain controller.
The problem is server2 cannot update active directory from server1
i get the following message when trying to connect to server1 from server2
"The domain controller server1 was not validated because. The RPC server is unavailable"
I am also getting plenty of error events on both servers, the error i am getting on server1 is event 1645
"The Directory Service received a failure while trying to perform an authenticated RPC call to another Domain Controller. The failure is that the desired Service Principal Name (SPN) is not registered on the target server. The server being contacted is daa52d87-1d82-44f1-b032-a6930524e669._msdcs.isenterprisesintl.co.uk. The SPN being used is E3514235-4B06-11D1-AB04-00C04FC2DCD2/daa52d87-1d82-44f1-b032-a693[email protected]
Please verify that the names of the target server and domain are correct. Please also verify that the SPN is registered on the computer account object for the target server on the KDC servicing the request. If the target server has been recently promoted, it will be necessary for knowledge of this computer's identity to replicate to the KDC before this computer can be authenticated. "
I have looked this up on ms.com and found an article explaing a hotfix will fix this. All updates are installed, so it obvious... Read more

A:Domain controllers cant replicate

just been running a few more checks and have seen a descrepancy between the 2 servers
server1
Schema server = server1
Domain server = server1
PDC server = server1
RID server = server1
Infrastructure server = server1
server2
Schema server = server1
Domain server = server1
PDC server = server1
RID server = server1
Infrastructure server = server2 ---- ????

I have tried to change this setting on server2 in active directory operations masters, but it says
"The current domain controller is the operations master. To transfer the operations master role to another computer, you must first conenct to it"
But it wont let me connect to the other DC because it cant find the RPC server!!! argghh
is there another way to alter these settings?? anyone??
 

Read other 1 answers
RELEVANCY SCORE 61.2

Hello,

I just swapped out domain controllers and am now having synchronizing issues. It is still looking for the old server that i just replaced and i cant make it look for the new one. Does anyone have any suggestions?

Thanks!!

Read other answers
RELEVANCY SCORE 61.2

Unless i am missing something we cant "detect" a new domain controller added to a enviroment as this is a "regular" task , not sure if admin logging on to new server would trigger in a enviroment that have been running more than 30 days

But 
Adding Domain Controllers to sentisive groups
Listing Domain Controllers not monitored by ATA
List newly created/removed domain controllers

Would be a great feature for future versions

Read other answers
RELEVANCY SCORE 61.2

i configured a domain controller on my virtualbox and i want to connect another DC to it. the guest machine is windoms 8. the network adapter i used is NAT. first DC IP:192,168,5.2, Gateway: 192.168.5.1, Subnet mask:255.255.255.0 and DNS as the gateway IP. for the second domain controller, server IP: 192.168.5.3, gateway: 192.168.5.1 and DNS as the IP of the first DC..192.168.5.2......i dont know why they are not communicating with each other. The moment i run dcpromo on the second DC it comes up with an error message to check my DNS and the domain name...it comes with this error too, 0x000005B4_TIMEOUT.....CAN ANYONE HELP
 

Read other answers
RELEVANCY SCORE 61.2

greets,

I have an older 2000 server which is a domain controller, I can not for the life of me figure out how to demote the machine so i can rejoin it to a new domain. I do not need two domain controllers in this network.
any ideas on how to? i already tried start>run>dcpromo


I decided to post here since i didn't see a section for server 2000. thanks
 

A:problems with Domain controllers

Read other 7 answers
RELEVANCY SCORE 60.8

I want install windows 2012 on my server (IBM) but it request RAID controller driver (LCI m 5014)

Read other answers
RELEVANCY SCORE 60.4

Hi everybody,
after my last Implementation of ATA (one week ago) I got a strange "condition". It's an implementation with LWGW on all DCs (Server 2012 R2), no seperate gateway installation.
Everything worked like a charm, as always, just worked through the deployment guide. We get alerts on DNS Enums or suspitious AD requests. We see logons on different member servers and clients if we search for them. We see changes to security groups and
we even see if I create a new service on one of the DCs so I guess event forwarding works.
What we don't see: Any logons on the domain controllers. It doesn't matter if I rdp into one of the DCs or via console. If I search for one of the domain controllers and let ATA show the "profile page" of it, the timeline ist just empty. Tried
different DCs, different user accounts, even created new users and new domain admins. ATA doesn't recognize any logon on domain controllers.
I appreciate any hints.

Thanks!

Thanks, regards, tim

Read other answers
RELEVANCY SCORE 60.4

Hi All,
I am trying to configure ATA Lightweight gateway on additional domain controller. I am getting the error.
The Console, https://ata.domain.com,  returned an error while attempting to register  the gateway. For more details, please review the Center error logs.

I can open https://ata.domain.com from the DC without any issue and the Port required for the communication is open.
There is no error in Application or system logs on DC or ATA server.
Center error logs in ATA is also not pointing to any error.

Thank you for assistance.

Read other answers
RELEVANCY SCORE 60.4

At my work we have an active directory domain. In the root of this domain there are two domain controllers.

ie dc1.mywork.com, dc2.mywork.com

When users login, they always seem to get authenticated by dc2, as you can see the login script running from that server, and when we shut down dc2, no one can login.

(have not shut down dc2 for any length of time to see if dc1 will eventually "take over" the login duties)

Where can I specify which server provides authentication for the domain? Or can I be assured that dc1 will take over for dc2 when dc2 goes down?
 

Read other answers
RELEVANCY SCORE 60.4

I was excited to see that the new ATA 1.6 has a Lightweight Gateway that no longer requires port mirroring by installing it directly on the Domain Controllers. This makes total sense to me and gives me confidence in this ATA team. We have VMWare
and the port mirroring was an issue.
However, we are not excited about the .NET requirement on the Domain Controllers. The installation does indicate it is needed for the setup, but does anyone know if we can uninstall the .NET component once the installation is complete? Any thoughts?
Thanks!
-Srvrgeek

Read other answers
RELEVANCY SCORE 60

I have over 400 domain controllers. The initial look at ATA seemed to require port mirroring on the DC's and that was just impossible. I was told an agent of some type on the DC's was coming. Is that an option now?

Read other answers
RELEVANCY SCORE 59.6

Being fed up with the software router I was running I set up a netgear RP114 cable/DSL router. Connection to the net is fine, the problem is, before I used to have a webserver as the router machine. Now it sits behind the router. I set up port forwarding for port 80 to point to the internal IP address of the machine (running http:// on the internal network IP reveals the webpage so that is working ).

When I put my public ip address into a web browser (after http://) then I get the login screen for the router for web-based configuration. and not the web-server. Also, other services that I set up (telnet, ssh) didn't work.

Any ideas?
 

A:Port forwarding and configuring a web-server behind a router.

Couldn't find a RP114 on the Netgear site. Are you using a RP614 or a FR114P?
In either case you need to change the port used for remote management (Netgear default this to 8080 in many of their routers).

From a Netgear user manual (note the last sentence) "Web browser access normally uses the standard HTTP service port 80. For greater security, you can change the remote management web interface to a custom port by entering that number in the box provided. Choose a number between 1024 and 65535, but do not use the number of any common service port. The default is 8080, which is a common alternate for HTTP."
 

Read other 3 answers
RELEVANCY SCORE 59.2

Windows
2012 

IP settings           172.17.2.36

Subnet mask       255.255.0.0

Gatevay                 172.17.2.1

DNS                       8.8.8.8

                           
     

Windows 7

Obtain
IP address automatically  

----------------------------------

----------------------------------

DNS
                       8.8.8.8

 
                                

The
error code reads 

------------------------------------------------------------------------------------------------------------------------------------------------

The
following error occored wen DNS was queried for the servise location (SRV)

resource
record used to locate an Active Directory Domane Controller (AD DC) for Domain

"dalek.local
".

 

the
error was: "This operation returned because the timeout period expired."

(error
code 0x000005b4 ERROR_TIMEOUT)

 

The
query was for SRV record_ldap._tcp.dc._msdcs.dalek.local.

the
DNS server used  by this com... Read more

Read other answers
RELEVANCY SCORE 58.8

I have the latest version of ATA - 1.9.7312.32791
I have deployed ATA Lightweight Gateway to many domain controllers throughout my organisation from exactly the same "Microsoft ATA Gateway setup.exe" with accompanying .json file in the same folder.

Nearly all the Domain Controllers have been Windows Server 2016 Core with a quiet install via command line.
The installation has worked perfectly with the exception of two domain controllers on the same physical subnet/site.
The installation error code in the log is:
Error [\[]TaskAwaiter[\]] System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. ---> System.IdentityModel.Tokens.SecurityTokenValidationException:
Failed to validate certificate thumbprint [\[]thumbprint=FC78E602AA1E8BF57CC2270E81788E5ADC511DF4[\]]

Seeing as every other installation worked fine, I suspect something must be blocking or interfering with the certificate being successfully negotiated back at the ATA centre
The likelyhood if being an error with the JSON file is extremely small as the failures occurred in the middle of the installation program, with successful implementations either side of the two that failed.

What can I get the network team to check regarding firewalls, network traffic or blocked ports?

Has anyone seen similar?

Thank you

Chris

Read other answers
RELEVANCY SCORE 58

I want to set all my domain controllers (DC and RDC) to pull time from time.windows.com. In order to achieve this I am planing to create a gp (Computer Configuration/Policies/Administrative Templates/System/Windows Time Service/Time Providers)and
link to Domain Controller OU.
My question is, is it the best thing to do, or is there any risk or best practices with respect to this.

Read other answers
RELEVANCY SCORE 58

I am attempting to lab up ATA 1.7.1, and am having a similar issue to the following ATA Forum thread: https://social.technet.microsoft.com/Forums/security/en-US/c817193a-9859-48fa-a208-eb644b17005b/service-on-lightweight-gateway-wont-start?forum=mata
Event viewer is showing that the service is attempting to restart, and the ATA logs are full of this error (occurs every 20 seconds):
2016-10-18 23:49:50.2983 856 5 00000000-0000-0000-0000-000000000000 Error [DirectoryServicesClient+<OnInitializeAsync>d__12] Microsoft.Tri.Infrastructure.ExtendedException: Domain controllers are not configured
at Microsoft.Tri.Gateway.Resolution.DirectoryServices.DirectoryServicesClient.<OnInitializeAsync>d__12.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Tri.Infrastructure.Framework.Module.<InitializeAsync>d__18.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Tri.Infrastructure.Framework.ModuleManager.<OnInitializeAsync>d__4.MoveNext()
--- End of stack trace from previous location whe... Read more

Read other answers
RELEVANCY SCORE 56.8

Does anybody know of any "No Thrills" UK-Based Domain Name Forwarding services? I want a .com redirection to my existing website but I don't need any other features than that! I would also prefer the URL to be masked so that my domain remains in the address bar, but this is not crucial. I won't be needing e-mail or any other added extras!
Thanks For Any Replies

From Tarq
 

A:Domain Forwarding?

(Note: I changed my nickname to that after posting it in my message, just thought i'd point that out a the risk of sounding stupid)
 

Read other 2 answers
RELEVANCY SCORE 56.8

I know of and use .tk (www.dot.tk) which is good becuase you get email forwarding as well. I also know of but don't use .co.nr (www.dot.co.nr)

Is there any others that are pretty good? Its just that i hate using www.freewebs.com/crystalnews
 

Read other answers
RELEVANCY SCORE 56.8

I can't seem to get my web redirect feature to work, what IP's for Domain Name Servers do I need to put in? my newly purchased URL is cmsbasketball.net which I want to forward to www.eteamz.com/cmsbasketball? Please send me help!

[email protected]
 

A:Domain Forwarding????

Read other 6 answers
RELEVANCY SCORE 56.8

Anyone know a good FREE domain forwarding host? Somethink like www.dot.tkNothing like http://dfsgsdf.com/yournameJust short as possible

A:Domain Forwarding

www.TZO.com is not free but it works well, and only$25/yr $40/2yrs.

Read other 1 answers
RELEVANCY SCORE 56.4

Hello,

If I have a website, and a set up a domain email address such as "[email protected]", and I want ALL email sent to that email address to be forwarded to my main (primary) email address in Outlook Express such as "[email protected]". My ISP is "comcast". How do I set that up to do that???

Thanks in advance,

Dean
 

A:Forwarding domain email?

Read other 8 answers
RELEVANCY SCORE 56

Hi!

I'm new in the world of Linux and do not know how to set up an internet connection on Fedora Core 3, running KDE GUI.

please help

thanks!
 

A:Configuring Internet Connection on Fedora Core

It will be quite hard for us to help in any way if we do not have more information about your system & your Internet connection.
 

Read other 5 answers
RELEVANCY SCORE 56

Hey you guys. I got my somewhat older desktop running ubuntu 9.10 (dualbooted with WinXP) and I think it's pretty cool so far.

However a while ago while I was slightly intoxicated I boasted to my roommates that sharing files with this thing should be super easy, since it's linux and all that. Since then I've been trying to set up the desktop as a streaming media server, with no success. So I turn to you for help.

I found a pretty good guide on how to get Samba up and running on instructables.

The problem I'm having is that my laptop is part of a school domain. Since many of my roommates go to the same university, theirs are also part of that domain. For those of you who aren't too familiar with Windows (anymore), your computer can either be part of a workgroup or a domain. A workgroup is intended for home networks and makes it easier to share files, which is what I'm trying to do, and what the guide calls for. I've illustrated the problem in the attached image. As you can see both computers connect to the same router. I don't think I really have to explain, but I just figured I should try to be as clear as possible.

My question to you is: is there any way that I can set up the ubuntu desktop, or samba, so that it can share files over the wireless network at home with the computers that run windows and are part of the school domain? Or is there an easy way to switch between a workgroup and a domain on the windows machine? Or should I... Read more

A:Configuring filesharing between two computers where one is part of a domain

Read other 10 answers
RELEVANCY SCORE 56

I have configured event forwarding from my DCs to the one DC that is currently running the lightweight gateway service.  I followed the instructions here https://docs.microsoft.com/en-us/advanced-threat-analytics/deploy-use/configure-event-collection.
Event ID 4776 is being forwarded from the other DCs to the ForwardedEvents log however they do not appear in the DB when I run 
Mongo ATA --eval "printjson(db.getCollectionNames())" | find /C "NtlmEvents"

D:\ATA\Microsoft Advanced Threat Analytics\Center\MongoDB\bin>mongo ATA --eval "
printjson(db.getCollectionNames())" | find /C "NtlmEvents"
0

D:\ATA\Microsoft Advanced Threat Analytics\Center\MongoDB\bin>

Does this just take time or is something misconfigured?  The lightweight gateway was installed today.

Read other answers
RELEVANCY SCORE 55.6

Hello!

Being the most tech savvy person in my company (coffee shop/bakery), I've been tasked with changing the forwarding email of our websites to one email. I don't have a lot of information from the owner (ie. backend info, hosts, etc). So I'm trying to assess what the process looks like so I can just gather the information I need and do it without gathering more information than I have to because finding the information will (I suspect) be more time consuming than actually implementing this change.

basically [email protected] forwards to someone's personal gmail which should forward to a different email but responses should still show up as [email protected]

Any tips would be super valuable.

Should they just invest in a full time or regularly contracted web developer? Probably, but they haven't so.... I'm learning as I go. LOL!
 

Read other answers
RELEVANCY SCORE 55.2

Hi
Need assistance to understand further the below question and screenshot
1. Refresh ?  - Whats is mean by Refresh in  (subscription manager)

2. Normal   - is this related to polling interval to send event to collector server
3. Minimize Bandwith   - is this related to polling interval to send event to collector server
4. Minimize Latency   - is this related to polling interval to send event to collector server





Robert

Read other answers
RELEVANCY SCORE 55.2

Hello guys,
I've read in de docs that ATA supports Event Forwarding from a SIEM but it only talks about forwarding Windows Events with iD 4776 (provides data regarding NTLM authentications.) Is this Eventid used as an example or can ATA also handle other events forwarded
from the SIEM like mentioned in the Windows Event forwarding session? (Eventid: 4732, 4733, 4728, 4729, 4756, 4757, 7045)
Would it be useful to also forward 4776 event froms Windows Member servers (or even workstations) from the SIEM towards ATA? Does it do anything with that data?
Kind regards,
Jos

Read other answers
RELEVANCY SCORE 55.2

Hi,
I had a couple of questions regarding ATA and the Windows Event Forwarding (WEF) setting.
1. I understood that if I set up WEF, ATA is able to study and analyze all the activities and events that all users in my domain do, am I right?
2. About those activities and events that are captured by WEF, what specific activities and events are we talking about? Which events are being forwarded to the ATA? Does it apply to all users in the domain?
3. On the other side, what kind of events and activities would NOT be collected by WEF?
4. If I do not set up WEF, ATA would only be able to look at the network traffic and analyze that data, am I right? What other data would ATA be able to capture and analyze even if I do not set up WEF?
5. IF I do not set up WEF, does that mean that ATA would not be able to capture and analyze any information regarding the users and activities (other than network traffic) that are being done in the domain?
6. Finally, I know it might sound stupid... but what kind of data specifically comes out as network traffic? What kind of information comes out as netwrok traffic for ATA to analyze?

Regards

Read other answers
RELEVANCY SCORE 55.2

Event Collector  - > Windows 2012 
Event Source -> Windows 7

Event Subscription (log forwarding) Security logs not forwarding


I'm evaluating the Event Forwarding of Windows
I able to received Event from  Application and System
Unfortunately, I' not able to get events from security
Please advise why I'm not getting the event for security

Robert

Read other answers
RELEVANCY SCORE 54.8

Hello,
We have a fresh ATA 1.9 installation. I also configured Event Forwarding from all DCs to one of the Gateways. I see the events in the Forwarded Events log.
I also found in the FAQ how to verify if this is working (https://docs.microsoft.com/en-us/advanced-threat-analytics/ata-technical-faq#how-do-i-verify-windows-event-forwarding).
But I think this is not working or the query is wrong for 1.9.
When I start the MongoDB shell and enter show collections I donīt see anything starting with "Ntlm".
Can anyone please tell me whatīs wrong here? Thanks a lot for your help!
brgds Andreas

Read other answers
RELEVANCY SCORE 54.8

Hi All,
The ATA doco covers forwarding event 4776 to the ATA gateways, but what about local authentication and other hacking techniques (such as silver tickets) that have no communication with the DC? Is there any intention to broaden the use of Windows Event Log
subscriptions to enhance the detection capabilities of ATA? 

Read other answers
RELEVANCY SCORE 54.8

Hello,
I have implemented ATA 1.9 with a mixture of LWGW on physical DCs and port mirroring on virtual DCs. I have multiple ATA gateways which are monitoring one or two DCs.

Now I stumbled on Windows Event Forwarding architecture design question, which I can't find answer on https://docs.microsoft.com/en-us/advanced-threat-analytics/configure-event-collection.
Is it required to forward windows events from DC to same ATA gateway for which port mirroring is configured in ATA console Gateways configuration OR I can forward windows events from all DCs to one ATA gateway(which is much simpler to configure)?
Daniel

Read other answers
RELEVANCY SCORE 54.4

I come to you again seeking help. We have a problem with our logon and startup to our Windows 7 Enterprise system. We have more than 3000 Windows Desktops situated in roughly 20+ buildings around
campus. Almost every computer on campus has the problem that I will be describing. I have spent over two months peering over etl files from Windows Performance Analyzer (A great product) and hundreds of thousands of event logs. I come to you today humbled
that I could not figure this out. The problem as simply put our logon times are extremely long. An average first time logon is roughly 2-10 minutes depending on the software installed. All computers are Windows 7, the oldest computers being 5 years old. Startup
times on various computers range from good (1-2 minutes) to very bad (5-60). Our second time logons range from 30 seconds to 4 minutes. We have a gigabit connection between each computer on the network. We have 5 domain controllers which also double as our
DNS servers.
My original posts on:
Technet: http://social.technet.microsoft.com/Forums/en/w7itproperf/thread/e8400dbe-e6b8-4b1d-8851-a03e7af32e6e
Reddit: http://www.reddit.com/r/sysadmin/comments/w5f38/network_logon_issues_with_group_policy_and/
I followed a lot of what you all told me to do from testing the domain controllers with dcdiag and also completing netlogon tests. I did group policy tests where I got rid of the group policy
and just did default policy and it only slightly fixed the prob... Read more

A:Major Network Logon Issues (8 Domain Controllers and 3.5 thousand workstations) DNS, Time Server, DHCP, and Group Policy Errors

Hi,


I would like to suggest using Network Monitor to troubleshoot the issue.


Thanks.

Jeremy Wu
TechNet Community Support

Read other 4 answers
RELEVANCY SCORE 54.4

I would like to configure ATA to be in a work group and external to the monitored domain. Not having SEIM I plan to use ATA to collect the events using eventlog forwarding. In the documentation, it is mentioned that the domain controllers and ATA gateways
are connected to the same domain. So is my desired configuration of an ATA workgroup outside the domain not possible ?
thanks for any information


Read other answers
RELEVANCY SCORE 54

Hello,
I'm in the process of transitioning some ATA 1.8 lightweight gateways that couldn't keep up onto a dedicated gateway.  I wanted to double check:  Is event ID 4776 the only event I need to forward? Or are there others that ATA requires for analysis?
Thanks!

Read other answers
RELEVANCY SCORE 54

HI I have a functioning ATA-installation, with a single remote gateway monitoring 3 production domain controllers. I configured the gateway server as an event collector and now have the gateway server pulling 4776 events to the Forwarded Events log on
the gateway server. Now when I try to enable the gateway to monitor forwarded events, the gateway crashes pretty much right away ("the service stopped unexpectedly") Am I missing something?

Read other answers