question

GrantD-4411 avatar image
0 Votes"
GrantD-4411 asked GrantD-4411 answered

ATA Lighweight Gateway not populating mongodb with Forwarded events

I recently broke down and updated to ATA 1.9.3. from ATA 1.9.1

For some reason, events forwarded to the DC where the lightweight Gateway is installed are not making it into the MongoDB and hence not appearing on the ATA Console.

I see the event showing up in the Event Viewer on the DC. However, they do not then show up in MongoDB.

Do I need to configure something to read the Forwarded Events? (I am forwarding the usual suspects: 4776, 4732, 4733, ..7045) And I see them show up in the Forwarded logs.
I cannot find anything that needs toggling or setting to "yes".

If I do a nslookup, that generates an alert, but creating a local Admin account on a user box no such love. (the event 4732 should show up in MongoDB) I see it in the forwarded logs.

Any places to look would be most helpful.

Thanks,

-Grant

ems-advanced-threat-analytics
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Eli-Ofek avatar image
0 Votes"
Eli-Ofek answered

Search for any warn or error logs in the Gateway textual log and in the Center textual log within a few minutes of the time you simulated the event.
note that the timestamps in the log are in UTC.

Also search the logs for errors or warns during service startup.

Share if you find anything there.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GrantD-4411 avatar image
0 Votes"
GrantD-4411 answered

I have gone through all the logs with a fine tooth comb. There wasn't any errors or warnings that stood out. (Something about it couldn't talk to the LDAP server once the day before).

I did notice these Info statements:
Info [WindowsEventLogReader] Event log watcher for Security is enabled
Info [WindowsEventLogReader] Event log watcher for System is enabled

However, nothing for "Forwarded Events". I would think that there should be one for that too? (This is where my events show up on the DC)

There was one Error that I wouldn't think it would break anything:

Error [GatewayConfigurationManager] Failed to get configuration, using default configuration. (I probably haven't defined one so I figured that is on me).


And then later in the same log when it is discussing the configuration it is using this part came up.

“WindowsEventLogClientConfiguration”: {
“IsEnabled”: true
}


Nothing about any permission problems or failures to connect. Is there something missing I should be looking for?

Thanks for your help.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Eli-Ofek avatar image
0 Votes"
Eli-Ofek answered

Did you already went through this guide?
https://docs.microsoft.com/en-us/advanced-threat-analytics/configure-event-collection#wef-configuration-for-ata-gateways-with-port-mirroring

If yes, I think a support case is needed where you can share full log files securely, or maybe to a remote session with an engineer that might see something.
The config error is significant, but not if it happened only once...

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GrantD-4411 avatar image
0 Votes"
GrantD-4411 answered

I have gone through this page several times, to the point I have some issues with it.

Since I am running an ATA Lightweight Gateway I have not turned on Port Mirroring between my Lightweight Gateway and the Domain Controller since they are on the same box.
As stated by: https://docs.microsoft.com/en-us/advanced-threat-analytics/configure-port-mirroring
(I wish this exception was restated on this page).

The Note at the top of the page says for ATA versions 1.8 and higher we do not need to do this. However, here we are needing to do this.

Next issue I have is that events 4728, 4279, 4756 and 4757 are only generated on Domain Controllers so why would they need to be forwarded from the other hosts?
(However, this is neither here nor there with this issue).

Otherwise I have followed this page:
1) added Network Service to permissions for Event Log Readers
2) Ran winrm quickconfig
3) Enabled "Configure target Subscription Manager" and added "Server=http://<FDQN of the ATA LWGateway>:5985/wsman/SubscriptionManager/WEC,Refresh=10"
4) gpupdate /force
5) Created subscription in the Event Viewer
a) Name: ATA-Logs
b) Destination Log set to "Forwarded Events"
c) picked "Source computer initiated"
d) added the Domain Controller to the list of select computer groups
e) Selected "Security" event logs
f) Let all events be collected instead of just 4776
g) Checked runtime status and it had a nice green checkmark
6) Waited a few minutes

Tested by adding a Local Admin account to one of the hosts. Nothing showed up.





5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GrantD-4411 avatar image
0 Votes"
GrantD-4411 answered

Just to clarify. The Events show up in the "Forwarded Events" on the ATA LWG. They just don't make it into MongoDB.

I assume if that they don't make it into MongoDB is why the ATA Console doesn't see the event.


The config error shows up every time I turn the ATA LWG on at boot. It is not repeated as I generate events.

Is there a default config I can install and see if that changes anything?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Eli-Ofek avatar image
0 Votes"
Eli-Ofek answered

There is no need to define forwarding for events when the Gateway is lightweight.
The reason is that we are running on the same DC, as we can read the logs directly...

If it says failed to get configuration on every start, it means it fails to contact the Center machine via https 443.
If you go to the gateway list in the portal, does it even show this instance as running and healthy ?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GrantD-4411 avatar image
0 Votes"
GrantD-4411 answered GrantD-4411 commented

The Gateway list says that the lightweight Gateway is "Running"
The "Health" spot has nothing underneath it.

This might be a clue.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Not a clue. Apparently if everything is going well, the space under health is blank.

0 Votes 0 ·
GrantD-4411 avatar image
0 Votes"
GrantD-4411 answered

I noticed from someone else's post of their Gateway logs that it contained:

"WindowsEventLogReaderConfiguration": {
"IsEnabled": true,
"IsForwardedEventReaderEnabled": false,
"IsLocalEventReaderEnabled": true,
"UpdateWindowsEventLogReaderBookmarksConfiguration": {
"Interval": "00:00:30",
"IsEnabled": true
}

Mine does not. Where would I set this? I tried adding it to the GatewayConfiguration.json file but some other process keeps rewriting it.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Eli-Ofek avatar image
0 Votes"
Eli-Ofek answered

No, this is the backend (center) configuration for this gateway that the gateway reports to the log when it starts.
if you don't have it, it is also evidence that something is wrong. not sure why the service appears healthy in the portal.
I strongly suggest to open a support ticket so this can be inspected correctly with the full log files from both the gateway and the center to better understand what went wrong.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GrantD-4411 avatar image
0 Votes"
GrantD-4411 answered

After uninstalling and reinstalling --- At this point it appears that I may not have allowed enough time for the system to "Learn".

It doesn't think creating Local Admin accounts on client boxes is suspicious (yet).

db.getCollectionNames().forEach(function(collection) { print (“Found “+collection+” “+db[collection].count() ) })

While nothing is going into Suspicious, some of the other collections are incrementing. And after going through them the alert for creating an admin account is buried.

And of course uninstalling and reinstalling has reset the clock.

Thanks for your help.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.