ATA Lighweight Gateway not populating mongodb with Forwarded events

Grant D 1 Reputation point
2022-04-26T22:41:37.237+00:00

I recently broke down and updated to ATA 1.9.3. from ATA 1.9.1

For some reason, events forwarded to the DC where the lightweight Gateway is installed are not making it into the MongoDB and hence not appearing on the ATA Console.

I see the event showing up in the Event Viewer on the DC. However, they do not then show up in MongoDB.

Do I need to configure something to read the Forwarded Events? (I am forwarding the usual suspects: 4776, 4732, 4733, ..7045) And I see them show up in the Forwarded logs.
I cannot find anything that needs toggling or setting to "yes".

If I do a nslookup, that generates an alert, but creating a local Admin account on a user box no such love. (the event 4732 should show up in MongoDB) I see it in the forwarded logs.

Any places to look would be most helpful.

Thanks,

-Grant

Microsoft Configuration Manager
0 comments

10 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Eli Ofek (MSFT) 911 Reputation points Microsoft Employee
    2022-04-29T00:04:13.977+00:00

    There is no need to define forwarding for events when the Gateway is lightweight.
    The reason is that we are running on the same DC, as we can read the logs directly...

    If it says failed to get configuration on every start, it means it fails to contact the Center machine via https 443.
    If you go to the gateway list in the portal, does it even show this instance as running and healthy ?

    0 comments
  2. Grant D 1 Reputation point
    2022-04-29T01:02:56.203+00:00

    The Gateway list says that the lightweight Gateway is "Running"
    The "Health" spot has nothing underneath it.

    This might be a clue.

  3. Grant D 1 Reputation point
    2022-04-29T20:43:09.99+00:00

    I noticed from someone else's post of their Gateway logs that it contained:

    "WindowsEventLogReaderConfiguration": {
    "IsEnabled": true,
    "IsForwardedEventReaderEnabled": false,
    "IsLocalEventReaderEnabled": true,
    "UpdateWindowsEventLogReaderBookmarksConfiguration": {
    "Interval": "00:00:30",
    "IsEnabled": true
    }

    Mine does not. Where would I set this? I tried adding it to the GatewayConfiguration.json file but some other process keeps rewriting it.

    0 comments
  4. Eli Ofek (MSFT) 911 Reputation points Microsoft Employee
    2022-05-01T08:13:20.887+00:00

    No, this is the backend (center) configuration for this gateway that the gateway reports to the log when it starts.
    if you don't have it, it is also evidence that something is wrong. not sure why the service appears healthy in the portal.
    I strongly suggest to open a support ticket so this can be inspected correctly with the full log files from both the gateway and the center to better understand what went wrong.

    0 comments
  5. Grant D 1 Reputation point
    2022-05-05T14:10:55.36+00:00

    After uninstalling and reinstalling --- At this point it appears that I may not have allowed enough time for the system to "Learn".

    It doesn't think creating Local Admin accounts on client boxes is suspicious (yet).

    db.getCollectionNames().forEach(function(collection) { print (“Found “+collection+” “+db[collection].count() ) })

    While nothing is going into Suspicious, some of the other collections are incrementing. And after going through them the alert for creating an admin account is buried.

    And of course uninstalling and reinstalling has reset the clock.

    Thanks for your help.

    0 comments