{"id":7389,"date":"2024-10-05T07:13:02","date_gmt":"2024-10-05T07:13:02","guid":{"rendered":"https:\/\/pariswells.com\/blog\/?p=7389"},"modified":"2024-10-05T07:13:03","modified_gmt":"2024-10-05T07:13:03","slug":"ldap-logging","status":"publish","type":"post","link":"https:\/\/pariswells.com\/blog\/research\/ldap-logging","title":{"rendered":"LDAP Logging"},"content":{"rendered":"\n<p><a href=\"https:\/\/support.microsoft.com\/en-us\/help\/314980\/how-to-configure-active-directory-and-lds-diagnostic-event-logging\">https:\/\/support.microsoft.com\/en-us\/help\/314980\/how-to-configure-active-directory-and-lds-diagnostic-event-logging<\/a><\/p>\n\n\n\n<p>Each DC is treated separately.<\/p>\n\n\n\n<p>Increase the Log Size for Directory Service<\/p>\n\n\n\n<p>Then for a report:<\/p>\n\n\n\n<p>$logs = Get-winevent -FilterHashTable @{ LogName = &#8220;Directory Service&#8221;; ID = 2889} $values = @()<\/p>\n\n\n\n<p>Foreach($log in $logs){ $datasourceObject = new-object PSObject $datasourceObject | add-member -membertype NoteProperty -name &#8220;IP&#8221; -Value $log.properties[0].value.split(&#8220;:&#8221;)[0] $datasourceObject | add-member -membertype NoteProperty -name &#8220;UserBind&#8221; -Value $log.Properties[1].value<\/p>\n\n\n\n<p>$values += $datasourceObject }<\/p>\n\n\n\n<p>$values|Group-Object -Property IP,UserBind|Sort-Object count -Descending|Select-Object Count,Name | ForEach-Object{ [PSCustomObject]@{ &#8216;Ip&#8217; = ($_.Name -split &#8220;, &#8220;)[0] &#8216;UserBind&#8217; = ($_.Name -split &#8220;, &#8220;)[1] &#8216;Name&#8217;= (Resolve-DnsName(($_.Name -split &#8220;, &#8220;)[0])|select-object -ExpandProperty namehost) &#8216;Count&#8217; = ($_.count) }} >> C:\\Temp\\count.csv<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>View the logs<\/strong><\/p>\n\n\n\n<p>Unsecure LDAP binds<br>Go to Event Viewer ? Filter Directory Service logs to locate the event ID 2889 (Windows Server 2003 to 2012)<\/p>\n\n\n\n<p>Number of daily unsecure LDAP bind<br>Go to Event Viewer ? Filter Directory Service logs to locate the event ID 2887 (Windows Server 2003 to 2012)<\/p>\n\n\n\n<p>Number of LDAP queries<br>Go to Event Viewer ? Filter Directory Service logs to locate the event ID 1643 (Windows Server 2003 to 2012)<\/p>\n\n\n\n<p>Recent LDAP queries<br>Go to Event Viewer ? Filter Directory Service logs to locate the event ID 1644 (Windows Server 2003 to 2012)<\/p>\n\n\n\n<p>Error from LDAP server<br>Go to Event Viewer ? Filter Directory Service logs to locate the event ID 1535 (Windows Server 2003 to 2012)<\/p>\n\n\n\n<p>Time-out LDAP connection<br>Go to Event Viewer ? Filter Directory Service logs to locate the event ID 1317 (Windows Server 2003 to 2012)<\/p>\n","protected":false},"excerpt":{"rendered":"<p>https:\/\/support.microsoft.com\/en-us\/help\/314980\/how-to-configure-active-directory-and-lds-diagnostic-event-logging Each DC is treated separately. Increase the Log Size for Directory Service Then for a report: $logs = Get-winevent -FilterHashTable @{ LogName = &#8220;Directory Service&#8221;; ID [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-7389","post","type-post","status-publish","format-standard","hentry","category-research"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/7389","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/comments?post=7389"}],"version-history":[{"count":2,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/7389\/revisions"}],"predecessor-version":[{"id":7414,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/7389\/revisions\/7414"}],"wp:attachment":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/media?parent=7389"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/categories?post=7389"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/tags?post=7389"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}