Cisco CDA with forwarded logs

Sean Alexander · ‎07-09-2015

Hi All,

We have over 50 DC's and they come and go regularary, maintaining this list in multiple CDA's could be a pain.

We have AD forward logs to a central DC however they get stored in the forwarded events log.

Is there a way to have CDA read this?

Thanks,

Vance Kwan · ‎07-12-2015

If you can forward event ID 4768 into the security events, this will work. Just add that DC instead of all 50.

-Vance

Sean Alexander · ‎07-12-2015

Thanks for the responce but logs only forward to the forwarded event log and I cannot choose the security log as the destination for forwarded logs.

How do you forward those events into the security log?

Thanks,

Vance Kwan · ‎07-17-2015

I'm not of aware of how to forward it to the security logs. More so, I am not even 100% sure that it needs to be in the security logs. Have you tested this? Is this DC with the centralized repository added currently? If it is, we should be able to review the logs to see if it got any user mappings from this DC.

Sean Alexander · ‎08-25-2015

Hi Vance,

I thought we had this resolved but turns out we do not.

In the documentation it states:

If log forwarding is being employed, then connectivity is required only between CDA and the aggregating domain controller machines, there is no need to provide connectivity between all domain controller machines and CDA in a centralized log forwarding deployment.

But with log forwarding enabled on our DC's logs to to the forwarded event log and from previous reading I can say CDA only reads the security log. Based on the IP mappings this is confirmed.