I’m in the process of evaluating Netwrix Auditor. After setting up the basic AD monitoring plan using a domain admin service account, I’ve noticed what I believe to be an excessive amount of various account logged on/off and related events - about 400k in 24 hours. This nearly doubled the total number of such events for my entire company of about 80 users. This also compares rather unfavorably to the about ~16k of similar events for the auditing account used by Manage Engine’s AD Audit Plus. Is anyone else experiencing this? I pretty much did the default config for setting it up.
Hi Orion,
Reading what you describe sounds like it could be that you have enabled the collection of ‘Successful Non-Interactive Logons’ in the monitoring plan.
By default this setting is off as it can create an excessive amount of activity or (noise) if these logons are not required.
To verify this setting, edit your associated monitoring plan then edit the data source.
Regards,
Russell
Thanks for the reply. However, I don’t see that option - and again I simply setup the plan with default settings. Here is what I see:
Hi Orion,
That one would be for your AD, do you have a data source setup for the Logon Activity?
You may have set this up under one plan or you would have created a separate plan which also would be the recommended setup.
Regards,
Russell
No, the only data source I have is Active Directory.
OK, so as you only have the AD monitoring setup i can only at this point guess you are seeing the logon/logoff to DC’s?
Would you be able to provide an example of what it is and the report you are using for a bit more clarity around the event to better diagnose?
Typically the logons would be collected via the logon activity data source.
We collect our windows event logs into OpenSearch. Since installing AD Audit Plus and enabling the AD plan we are seeing lots of logon/off related events for the user configured for audit monitoring. Here is an example for a 24 hour period:
This works out to an average of a logon/offs for the audit user every 3 seconds on each of the DCs. This seems excessive. Why not keep sessions open persistently?
Hi Orion,
So this is another application you are seeing the excessive logon activity displayed, not within Netwrix Auditor!
The data collection service account for Active Directory will be responsible for communicating with each DC in the audited domain to gather the native event logs generated by Microsoft that we use for change auditing, along with other queries that are also run to gather a full picture. These collections run on a very frequent basis, hence the excessive logon activity you are seeing in OpenSearch.
I am not familiar myself with OpenSearch but perhaps there is a way in the console to omit/exclude from the collections the service account Netwrix Auditor is utilizing for it’s data collection for AD.
As for the second query as to why we don’t keep a persistent open session to the DC’s, i am sure this is going to be for security reasons, but i will need to lean on the dev team here for an answer, @RomanP perhaps you can assist on that part?
2 Likes
Hello,
At the moment it is considered “as designed” due to a number of places and operations for the data formation. We will plan additional research tasks in the next sprints to check if these operations are required.
Thanks,
Roman
2 Likes
I think we can live with it, but it does seem like it does an excessive amount of logon/offs and I think it would be worth reviewing how the connections are made and if having them persist for longer would make sense. Thanks for looking into it.
1 Like
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.