{"id":7389,"date":"2024-10-05T07:13:02","date_gmt":"2024-10-05T07:13:02","guid":{"rendered":"https:\/\/pariswells.com\/blog\/?p=7389"},"modified":"2024-10-05T07:13:03","modified_gmt":"2024-10-05T07:13:03","slug":"ldap-logging","status":"publish","type":"post","link":"https:\/\/pariswells.com\/blog\/research\/ldap-logging","title":{"rendered":"LDAP Logging"},"content":{"rendered":"\n

https:\/\/support.microsoft.com\/en-us\/help\/314980\/how-to-configure-active-directory-and-lds-diagnostic-event-logging<\/a><\/p>\n\n\n\n

Each DC is treated separately.<\/p>\n\n\n\n

Increase the Log Size for Directory Service<\/p>\n\n\n\n

Then for a report:<\/p>\n\n\n\n

$logs = Get-winevent -FilterHashTable @{ LogName = “Directory Service”; ID = 2889} $values = @()<\/p>\n\n\n\n

Foreach($log in $logs){ $datasourceObject = new-object PSObject $datasourceObject | add-member -membertype NoteProperty -name “IP” -Value $log.properties[0].value.split(“:”)[0] $datasourceObject | add-member -membertype NoteProperty -name “UserBind” -Value $log.Properties[1].value<\/p>\n\n\n\n

$values += $datasourceObject }<\/p>\n\n\n\n

$values|Group-Object -Property IP,UserBind|Sort-Object count -Descending|Select-Object Count,Name | ForEach-Object{ [PSCustomObject]@{ ‘Ip’ = ($_.Name -split “, “)[0] ‘UserBind’ = ($_.Name -split “, “)[1] ‘Name’= (Resolve-DnsName(($_.Name -split “, “)[0])|select-object -ExpandProperty namehost) ‘Count’ = ($_.count) }} >> C:\\Temp\\count.csv<\/p>\n\n\n\n

<\/p>\n\n\n\n

View the logs<\/strong><\/p>\n\n\n\n

Unsecure LDAP binds
Go to Event Viewer ? Filter Directory Service logs to locate the event ID 2889 (Windows Server 2003 to 2012)<\/p>\n\n\n\n

Number of daily unsecure LDAP bind
Go to Event Viewer ? Filter Directory Service logs to locate the event ID 2887 (Windows Server 2003 to 2012)<\/p>\n\n\n\n

Number of LDAP queries
Go to Event Viewer ? Filter Directory Service logs to locate the event ID 1643 (Windows Server 2003 to 2012)<\/p>\n\n\n\n

Recent LDAP queries
Go to Event Viewer ? Filter Directory Service logs to locate the event ID 1644 (Windows Server 2003 to 2012)<\/p>\n\n\n\n

Error from LDAP server
Go to Event Viewer ? Filter Directory Service logs to locate the event ID 1535 (Windows Server 2003 to 2012)<\/p>\n\n\n\n

Time-out LDAP connection
Go to Event Viewer ? Filter Directory Service logs to locate the event ID 1317 (Windows Server 2003 to 2012)<\/p>\n","protected":false},"excerpt":{"rendered":"

https:\/\/support.microsoft.com\/en-us\/help\/314980\/how-to-configure-active-directory-and-lds-diagnostic-event-logging Each DC is treated separately. Increase the Log Size for Directory Service Then for a report: $logs = Get-winevent -FilterHashTable @{ LogName = “Directory Service”; ID […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-7389","post","type-post","status-publish","format-standard","hentry","category-research"],"aioseo_notices":[],"aioseo_head":"\n\t\t\n\t\n\t\n\t\n\t\n\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t