question

BalaSmart-5063 avatar image
0 Votes"
BalaSmart-5063 asked FanFan-MSFT commented

Need an alternative method for auditing Active Directory environment (Windows driver)

We are auditing our Active Directory environment, For auditing purpose we are using logs (Eventviewer).
Some time our logs fully occupied by 521 event id, So auditing data will be losses.
521 event format:https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=521
So is there any other possibility to get events by Windows Driver.

We need solution like file system minifilter.
Github link : https://github.com/Microsoft/Windows-driver-samples/tree/master/filesys/miniFilter

Note:
We need to intercept AD object creation,modify activities from Windows Driver.

windows-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered FanFan-MSFT commented

Hi,
How did you config the audit policy on DCs?
You may consider moving log files to another location if you require more disk space in which to log data.
https://docs.microsoft.com/en-us/troubleshoot/windows-server/application-management/move-event-viewer-log-files
And setting the Maximum Size of an Event Log
https://www.oreilly.com/library/view/windows-server-cookbook/0596006330/ch08s06.html

This response contains a third-party link. We provide this link for easy reference. Microsoft cannot guarantee the validity of any information and content in this link.

Best Regards,

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @FanFan-MSFT

We have disk space in my home drive(security log directory)

521 event logged when more number of frequent update, On that time system unable to process the request

It's not due to disk space....

We need solution like windows driver instead of depending on logs

0 Votes 0 ·

Hi,
So sorry that i'm not familiar with that.
I will do more research about it.
If three are any progress, i will update here!
Best Regards,

0 Votes 0 ·