topic SourceFire AD Agent Problems in Network Security

SourceFire AD Agent Problems

nrunge1 — Sun, 10 Mar 2019 13:24:59 GMT

I have the SFUA 2.2 agent installed on a Server2012R2 DC. I am able to see login and logoff events in Event Viewer on that server for my AD account.

Everything looks good in the Agent UI and the I do not notice any errors in the logs. Also I can telnet to 3306 on the FireSight server.

Firewalling is completely disabled and I even went so far as to take the service account, which is a domain admin for troubleshooting purposes, and give it full rights in DCOM and WMI.

I opened up the local DB that the agent creates and I do not see it populating any user to IP mappings. It is almost like it just isn't seeing or recognizing the events in order to record them.

I was able to resolve this

nrunge1 — Fri, 17 Jul 2015 15:55:17 GMT

I was able to resolve this with TAC. The problem was with our Group Policy settings for auditing.

In Server 2012 Advanced Auditing was made available and apparently one of our admins turned that feature on and did not have it check for login/logoff.

That policy overrides the basic audit policy and effectively disabled the auditing.

So I was seeing login events on the Domain Controller but they were specifically Kerberos ticket requests which is not the event ID that the software looks for.

I do not believe that it is documented anywhere but the FireSight Agent looks for events 4624 and 4634.

TAC was actually very helpful in assisting me.