Reg Reviewing Event logs in Domain Controller for Who did what

  • Last Post 08 August 2015
Bharathian posted this 05 August 2015

Hi All,   Just wanted to know, how you people are reviewing the security events logs in active directory, like if manually what process do you follow, or using any tool, then how are you concluding it. Any reports are generated and documented.   We wanted to know for the ISO auditing requirement.   Thanks in advance   Regards Bharathi.AN

L&T-Construction   This Message and its contents is intended solely for the addressee and is proprietary. Information in this mail is for L&T Business Usage only. Any Use to other than the addressee is misuse and infringement to Proprietorship of L&T Construction. If you are not the addressee please return the mail to the sender.
L&T Construction.

Order By: Standard | Newest | Votes
gkirkpatrick posted this 05 August 2015

Dell Change Auditor for AD.


It has a giant bag of canned reports that match up with the various regulatory compliance regimes, and it is really easy to compose your own reports, for instance,

“show me all the AD changes made by John”, or “who changed this group membership and what was it before they changed it?”





danj posted this 05 August 2015

+1 for CAAD, much more granular stuff than you get out of the windows event logs, although it generates a lot of data, the database size gets out of hand quite quickly.


Also I have seen a lot more places using full SIEM toolsets in recent years, LogRhythm in particular.





g4ugm posted this 05 August 2015

I used to use Solar Winds LEM. the report searches can be a little slow, but again canned alerts out of the bag,  Dave Wade  


AlLilianstrom posted this 05 August 2015

We use both CAAD and Splunk.  Change Auditor reporting is excellent. It is a great tool to keep track of anyone with any type of elevated access to Active Directory.


Splunk, in my experience, is faster when looking for certain events – say account lockout.


I have daily reports scheduled in both to take advantage of their strengths.





Al Lilianstrom

Group Leader – Authentication Services


Fermi National Accelerator Laboratory




deflgm posted this 05 August 2015

Splunk & AD Audit Plus under Manage Engine - are what we utilize.


g4ugm posted this 05 August 2015

I had a major issue with Splunk, in that when I had an app that kept sending garbage logons to AD it blew the licence limit before I could figure out how to filter them before Splunk saw them. IMHO any audit product that breaks when you get lots of events must have a question mark against it.. 


nidhin_ck posted this 05 August 2015

We are using QRadar for pulling the logs from DC's. we can create customized report for any Event ID
Nidhin CK


scripterv posted this 06 August 2015

We started using Splunk late last year.  The Windows Infrastructure app comes with a lot of predefined dashboards and reports related to AD.  In addition we have customized dashboards and daily summaries of group, computer, user, and GPO changes as well as real time alerts for specific changes in AD.  Other dashboards are provided to support teams for tracking lockouts and authentications.   There is overhead and a learning curve to Splunk though, especially if you want to create your own reports and dashboards.  However it can bring in all types of logs to extend its usage beyond AD and start correlating events.  If you index over your license limit the search does stop but new events continue to index.  Our account rep informed us they have a process to reset the license without additional costs with a call to support while you troubleshoot the broken app.  


Bharathian posted this 08 August 2015



Thanks a lot for everyone for your answers. Will have a look at these tools.