Documentation is non-existent or incorrect

Posted about 1 month ago by Duane Abrames

Post a topic
Answered
D
Duane Abrames

So I just started evalulating utmstack yesterday, and so far my experience has been less than stellar.  One particular case in point is AD Audit.  When I go to the openstack web UI and go to extensions -> AD Audit, the instructions which are provided are for installing AD Certificate Services as a new root CA.  The only hit as to WHY we would be doing this is the heading "LDAPS on windows server".   Then it shows running a dsquery comand, with no explanation as to why.  The only step that has anything to do with utmstack is the instruction "Enter AD Auditor connection info."  Great, I'd love to do that, but this is not an instruction which is helpful to anyone.  I hit the "add tenant" button (though it was not mentioned anywhere in the above instructions, nor in any documentation I could find), and put in a DC name, user, password, and search base.  But, when I hit "Enable Integration" I get this:

Windows events verification

Windows events are not being logged

Active Directory index verification

Active Directory index not found


with absolutely no info as to how I would go about creating such an index, nor what is meant by "Windows events are not being logged."  I have an agent on the DC, and it has checked in enough to be listed in "sources."  It would make more sense IMHO to have the instructions simply state "you must have LDAPS enabled on your DC, here is a link to Microsoft on how to do it".  Maybe then you would have room on this page to include some actual instructions.

0 Votes

R

Ricardo Valdes posted 20 days ago Admin Best Answer

Hi Duane,


I confirmed with our engineering team that this guide needs some work. We'll make some changes to make it easier to understand.


When you run the command: "dsquery user -name {know username}" it will give you an output similar to this (example): "CN=John.Smith,CN=Users,DC=MyDomain,DC=com".


Your "User Distinguished Name" would be the complete output result "CN=John.Smith,CN=Users,DC=MyDomain,DC=com"

Your "Search Base" would be "DC=MyDomain,DC=com"

Your hostname would be your server IP or hostname

Your password would be the one that belongs to the account used in your query "dsquery user -name {know username}"

0 Votes


2 Comments

Sorted by
R

Ricardo Valdes posted 20 days ago Admin Answer

Hi Duane,


I confirmed with our engineering team that this guide needs some work. We'll make some changes to make it easier to understand.


When you run the command: "dsquery user -name {know username}" it will give you an output similar to this (example): "CN=John.Smith,CN=Users,DC=MyDomain,DC=com".


Your "User Distinguished Name" would be the complete output result "CN=John.Smith,CN=Users,DC=MyDomain,DC=com"

Your "Search Base" would be "DC=MyDomain,DC=com"

Your hostname would be your server IP or hostname

Your password would be the one that belongs to the account used in your query "dsquery user -name {know username}"

0 Votes

J

Jason Hall posted 22 days ago

In data sources, for events next to your DC does it say HIDS, wineventlog or does it just say HIDS? 

I was having the same issue and mine was only showing HIDS. I had to do a couple of things to get it to work.

1.) I installed an earlier version of the Windows Agent.

2.) I manually added the data parsing filter for windows-events.


To manually add the windows-events filter i logged into the https://demo.utmstack.com/ site, went to go data parsing and copied it from there.


After that all my windows clients were showing wineventlog and i could enable AD Auditing and File Integrity Monitoring

0 Votes

Login or Sign up to post a comment