cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
426
Views
0
Helpful
4
Replies
Highlighted
Beginner

Cisco CDA with forwarded logs

Hi All,

 

We have over 50 DC's and they come and go regularary, maintaining this list in multiple CDA's could be a pain.

We have AD forward logs to a central DC however they get stored in the forwarded events log.

Is there a way to have CDA read this?

 

Thanks,

4 REPLIES 4
Highlighted
Cisco Employee

If you can forward event ID

If you can forward event ID 4768 into the security events, this will work.  Just add that DC instead of all 50.

-Vance

Highlighted
Beginner

Thanks for the responce but

Thanks for the responce but logs only forward to the forwarded event log and I cannot choose the security log as the destination for forwarded logs.

 

How do you forward those events into the security log?

 

Thanks,

Highlighted
Cisco Employee

I'm not of aware of how to

I'm not of aware of how to forward it to the security logs.  More so, I am not even 100% sure that it needs to be in the security logs.  Have you tested this?  Is this DC with the centralized repository added currently?  If it is, we should be able to review the logs to see if it got any user mappings from this DC.

Highlighted
Beginner

Hi Vance,I thought we had

Hi Vance,

I thought we had this resolved but turns out we do not.

In the documentation it states:

If log forwarding is being employed, then connectivity is required only between CDA and the aggregating domain controller machines, there is no need to provide connectivity between all domain controller machines and CDA in a centralized log forwarding deployment.

But with log forwarding enabled on our DC's logs to to the forwarded event log and from previous reading I can say CDA only reads the security log. Based on the IP mappings this is confirmed.