Main Menu
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
SonicWall
  • Products
      All Products A–Z
      Free Trials
    • Network Security
      • Next-Generation Firewall (NGFW)
      • Network Security Services
      • Network Security Management
      • Secure SD-WAN
    • Threat Protection
      • Advanced Threat Protection Cloud
      • Advanced Threat Protection Appliance
      • Capture Labs
    • Secure Access Service Edge (SASE)
      • Zero-Trust Network Access (ZTNA)
    • Cloud Security
      • Cloud Firewall
      • Cloud App Security
    • Endpoint Security
      • Endpoint Detection & Response (EDR)
    • Email Security
      • Cloud Email Security
      • Hosted Email Security
      • On-Prem Email Security
    • Secure Access
      • Wireless Access Points
      • Network Switch
      • Virtual Private Network (VPN)
    • Wi-Fi 6 Access Points

      SonicWall SonicWave 600 series access points provide always-on, always-secure connectivity for complex, multi-device environments.

      Read More
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure Wi-Fi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Events
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • English English English en
  • BLOG
  • CONTACT SALES
  • FREE TRIALS
  • English English English en
SonicWall
  • Products
      All Products A–Z
      Free Trials
    • Network Security
      • Next-Generation Firewall (NGFW)
      • Network Security Services
      • Network Security Management
      • Secure SD-WAN
    • Threat Protection
      • Advanced Threat Protection Cloud
      • Advanced Threat Protection Appliance
      • Capture Labs
    • Secure Access Service Edge (SASE)
      • Zero-Trust Network Access (ZTNA)
    • Cloud Security
      • Cloud Firewall
      • Cloud App Security
    • Endpoint Security
      • Endpoint Detection & Response (EDR)
    • Email Security
      • Cloud Email Security
      • Hosted Email Security
      • On-Prem Email Security
    • Secure Access
      • Wireless Access Points
      • Network Switch
      • Virtual Private Network (VPN)
    • Wi-Fi 6 Access Points

      SonicWall SonicWave 600 series access points provide always-on, always-secure connectivity for complex, multi-device environments.

      Read More
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure Wi-Fi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Events
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • Menu

Configuration of DC Security Logs and Troubleshooting

03/26/2020 76 People found this article helpful 198,048 Views

    Download
    Print
    Share
    • LinkedIn
    • Twitter
    • Facebook
    • Email
    • Copy URL The link has been copied to clipboard

    Description

    Configuration of DC Security Logs and Troubleshooting

    Cause

    Windows Server uses the DC Security Log to record logon/logoff events and/or other security-related events specified by the system's audit policy. If the audit policy is set to record logins, a successful domain login records the user's user name and computer name in the Security Log. On Windows Server 2003 and above, the computer’s IP address is also logged.

    Resolution

    To configure the DC Security Log method in Directory Services Connector, perform the following steps:

    Step 1: In the Directory Connector Configuration Tool, right-click SonicWall SSO Agent in the left pane.

    Step 2: Select Properties.

    Image

    Step 3: In the right pane in the Query Source field, select one of the following options:

     

    Image

      • DC Security Log
      • DC Security Log + NETAPI
      • DC Security Log + WMI
      • DC Security Log + WMI + NETAPI

    Step 4: Select the desired number of seconds for the Event Polling Time fields

    Image

    The Event Polling Time option is visible only if one of the DC Security Log options is selected in the Query Source field. The SSO Agent fetches event logs from the Domain Controller on a regular time interval to discover updated user information. The Event Polling Time option provides a way to specify this interval. The minimum is 5 seconds, and the maximum is 300 seconds, with a default of 10 seconds.

    Step 5: To save information about previously identified users when the SSO Agent service is restarted, select the preserve users during service restart checkbox.

    Image

    Upon restarting the SSO Agent service, the user information is restored. Because the SSO Agent must be restarted for properties changes to take effect, this allows the agent to maintain current user information across these restarts. To avoid restoring outdated information, if the backup is older than 15 minutes, the information is not restored.

    If this option is unchecked when using DC Security Log, the user information is not saved during a service restart. When the next user information request comes in for a previously logged in user, the DC logs are checked, but there is no new logon event and so the user is not identified. If Query Source is set to DC Security Log only, the SSO Agent will send no user information to the appliance. If Query Source is set to DC Security Log with NETAPI or WMI, the agent will do a NETAPI or WMI query to the user PC to identify the user.

    Step 6: Next, configure the Domain Controller information in the Directory Connector Configurator, including the IP address of the DC, the administrator account, and the password.


    Step 7: Configuring the Domain Controller Information. Only machines configured with a Domain Controller role can be set as the domain controller in the Directory Connector Configurator. In the Directory Connector Configuration Tool, right-click Domain Controller in the left pane.

    Step 8: Select Add.

    Image

     

    Step 9: In the right pane on the Edit tab, type the DC IP address into the IP Address field.
    Image

    Step 10: In the Administrator User field, enter the domain and admin user name separated by a backslash, such as “snwladministrator”.

    Step 11: In the Administrator Password field, type in the password for the admin user.

    Step 12: In the Initial Fetch Time field, select the time of day for the SSO Agent to begin service startup and fetch event logs from the Domain Controller for the first time. All event logs are fetched before the SSO Agent service is started.

    Step 13: To test the connection to the Domain Controller using the IP address and user credentials, click Test Connection. If the IP address does not belong to a machine with a role of Domain Controller, the Configurator will not accept the configuration and an error message is displayed.
    Image

     

    Step 14: If the IP address belongs to a machine with a role of Domain Controller, no error is displayed. Click OK.

    Step 15: Repeat this procedure to add another Domain Controller.

    Setting Group Policy to Enable Logon Audit on Windows Server 2008

    Logon audit may need to be enabled on the Windows Server machine. To enable logon audit on Windows Server 2008, perform the following steps:

    1. Start the Group Policy Management Console.
    2. Browse to the following location: Domain Name > Domains > Domain Name > Group Policy Objects, where "Domain Name" is replaced with your domain.
    3. Under Group Policy Objects, right-click on Default Domain Policy and select Edit.
    Image

    The Group Policy Management Editor window is displayed.

    Image

    4. Double-click on Audit account logon events and select Success. Click OK.
    5. Double-click on Audit logon events and select Success. Click OK.
    6. Double-click on Audit Directory Service Access and select Success. Click OK.
    7. Double-click on Audit Object Access and select Success. Click OK.
    8. Close the Group Policy window.

    Setting Group Policy to Enable Logon Audit on Windows Server 2003

    By default, logon audit is disabled on Windows Server 2003. To enable logon audit on Windows Server 2003, perform the following steps:

    1. Start the Group Policy Management Console.
    2. Browse to the following location: Domain Name > Domains > Domain Name > Group Policy Objects, where "Domain Name" is replaced with your domain.
    3. Right-click on Group Policy Objects and select New.
    Image

    4. Give your policy a name and click OK.
    5. Expand the Group Policy Objects folder and find your new policy. Right-click on the policy and select Edit...
    6. Browse to the following location: Policy Name > Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy.
    7. Left click on Audit Policy. The policy settings are displayed in the right pane.

    Image

    8. Double-click on Audit account logon events and select Success. Click OK.
    9. Double-click on Audit logon events and select Success. Click OK.
    10. Double-click on Audit Directory Service Access and select Success. Click OK.
    11. Close the Group Policy window.

    How to Test:

    Image

    Image

    Image

    Image

    This should list all logged users currently on your domain

    If the above does not return any results Kindly confirm the Server settings and Event Viewer Security logs if the user is logged on as SonicWall only displays/uses for authentication what information it gets from the Domain Controller.

    If you are using Advanced Auditing please use the following article for GPO configuration:

    DC Security Logs with Advanced Auditing

    Related Articles

    • Identical Access Rules for different users/user groups
    • Advanced Network Security eLearning Training Course
    • Network Security Essentials eLearning Training Course

    Categories

    • Firewalls > TZ Series
    • Firewalls > SonicWall SuperMassive E10000 Series
    • Firewalls > SonicWall SuperMassive 9000 Series
    • Firewalls > SonicWall NSA Series

    Not Finding Your Answers?

    ASK THE COMMUNITY

    Was This Article Helpful?

    YESNO

    Article Helpful Form

    Article Not Helpful Form

    Company
    • Careers
    • News
    • Leadership
    • Awards
    • Press Kit
    • Contact Us
    Popular resources
    • Communities
    • Blog
    • SonicWall Capture Labs

    Stay In Touch

    • By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
    • This field is for validation purposes and should be left unchanged.
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
    • Instagram

    © 2023 SonicWall. All Rights Reserved.

    • Legal
    • Privacy
    • English
    Scroll to top