ATA Lighweight Gateway not populating mongodb with Forwarded events

Grant D 1 Reputation point
2022-04-26T22:41:37.237+00:00

I recently broke down and updated to ATA 1.9.3. from ATA 1.9.1

For some reason, events forwarded to the DC where the lightweight Gateway is installed are not making it into the MongoDB and hence not appearing on the ATA Console.

I see the event showing up in the Event Viewer on the DC. However, they do not then show up in MongoDB.

Do I need to configure something to read the Forwarded Events? (I am forwarding the usual suspects: 4776, 4732, 4733, ..7045) And I see them show up in the Forwarded logs.
I cannot find anything that needs toggling or setting to "yes".

If I do a nslookup, that generates an alert, but creating a local Admin account on a user box no such love. (the event 4732 should show up in MongoDB) I see it in the forwarded logs.

Any places to look would be most helpful.

Thanks,

-Grant

Microsoft Configuration Manager
0 comments

10 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Eli Ofek (MSFT) 911 Reputation points Microsoft Employee
    2022-04-27T07:04:49.583+00:00

    Search for any warn or error logs in the Gateway textual log and in the Center textual log within a few minutes of the time you simulated the event.
    note that the timestamps in the log are in UTC.

    Also search the logs for errors or warns during service startup.

    Share if you find anything there.

    0 comments
  2. Grant D 1 Reputation point
    2022-04-27T16:04:01.83+00:00

    I have gone through all the logs with a fine tooth comb. There wasn't any errors or warnings that stood out. (Something about it couldn't talk to the LDAP server once the day before).

    I did notice these Info statements:
    Info [WindowsEventLogReader] Event log watcher for Security is enabled
    Info [WindowsEventLogReader] Event log watcher for System is enabled

    However, nothing for "Forwarded Events". I would think that there should be one for that too? (This is where my events show up on the DC)

    There was one Error that I wouldn't think it would break anything:

    Error [GatewayConfigurationManager] Failed to get configuration, using default configuration. (I probably haven't defined one so I figured that is on me).

    And then later in the same log when it is discussing the configuration it is using this part came up.

    “WindowsEventLogClientConfiguration”: {
    “IsEnabled”: true
    }

    Nothing about any permission problems or failures to connect. Is there something missing I should be looking for?

    Thanks for your help.

    0 comments
  3. Eli Ofek (MSFT) 911 Reputation points Microsoft Employee
    2022-04-27T22:09:21.853+00:00

    Did you already went through this guide?
    https://learn.microsoft.com/en-us/advanced-threat-analytics/configure-event-collection#wef-configuration-for-ata-gateways-with-port-mirroring

    If yes, I think a support case is needed where you can share full log files securely, or maybe to a remote session with an engineer that might see something.
    The config error is significant, but not if it happened only once...

    0 comments
  4. Grant D 1 Reputation point
    2022-04-28T16:21:10.233+00:00

    I have gone through this page several times, to the point I have some issues with it.

    Since I am running an ATA Lightweight Gateway I have not turned on Port Mirroring between my Lightweight Gateway and the Domain Controller since they are on the same box.
    As stated by: https://learn.microsoft.com/en-us/advanced-threat-analytics/configure-port-mirroring
    (I wish this exception was restated on this page).

    The Note at the top of the page says for ATA versions 1.8 and higher we do not need to do this. However, here we are needing to do this.

    Next issue I have is that events 4728, 4279, 4756 and 4757 are only generated on Domain Controllers so why would they need to be forwarded from the other hosts?
    (However, this is neither here nor there with this issue).

    Otherwise I have followed this page:

    1. added Network Service to permissions for Event Log Readers
    2. Ran winrm quickconfig
    3. Enabled "Configure target Subscription Manager" and added "Server=http://<FDQN of the ATA LWGateway>:5985/wsman/SubscriptionManager/WEC,Refresh=10"
    4. gpupdate /force
    5. Created subscription in the Event Viewer
      a) Name: ATA-Logs
      b) Destination Log set to "Forwarded Events"
      c) picked "Source computer initiated"
      d) added the Domain Controller to the list of select computer groups
      e) Selected "Security" event logs
      f) Let all events be collected instead of just 4776
      g) Checked runtime status and it had a nice green checkmark
    6. Waited a few minutes

    Tested by adding a Local Admin account to one of the hosts. Nothing showed up.

    0 comments
  5. Grant D 1 Reputation point
    2022-04-28T22:46:11.007+00:00

    Just to clarify. The Events show up in the "Forwarded Events" on the ATA LWG. They just don't make it into MongoDB.

    I assume if that they don't make it into MongoDB is why the ATA Console doesn't see the event.

    The config error shows up every time I turn the ATA LWG on at boot. It is not repeated as I generate events.

    Is there a default config I can install and see if that changes anything?

    0 comments