11-20-2017 06:27 AM - edited 02-21-2020 10:39 AM
Hi team,
I am looking for a way to take advantage of the Windows Event Subscription Service as a source of Passive Identity for ISE/ISE-PIC. This service can be used to centralize domain logon events from all the domain controllers and could be used instead of configuring specific DCs in ISE-PIC for WMI or with the AD Agents. So 2 methods could be used:
- Syslogging out from the server that has this Subscription service to ISE/ISE-PIC using the Syslog Provider
- Perform a REST API call from the server to ISE for these logs using the REST API provider
Looking for guidance from you on if this has been done before and if we have a recipe to accomplish the Syslog Provider or REST API option?
Thanks
Solved! Go to Solution.
11-20-2017 09:13 AM
Hi,
If you do not want to you the specific-built AD provider, syslog will be your only other option. Please keep in mind, this isn't something out QA team has tested but doesn't mean it isn't possible. You will most likely need to create custom syslog headers and templates for this to work. The REST API is used VDI environments so unfortunately is not an option. I do have an example of how to create custom templates in this community if you are interested.
Regards,
-Tim
11-20-2017 09:13 AM
Hi,
If you do not want to you the specific-built AD provider, syslog will be your only other option. Please keep in mind, this isn't something out QA team has tested but doesn't mean it isn't possible. You will most likely need to create custom syslog headers and templates for this to work. The REST API is used VDI environments so unfortunately is not an option. I do have an example of how to create custom templates in this community if you are interested.
Regards,
-Tim
11-21-2017 06:13 AM
Tim,
Question on this. I believe the format of the forwarded logs is the same as the log format on the DCs themselves. The logs reside in a Forwarded Events log vs. Security Logs in the Event Viewer. Why can't the DC Agent be coded to allow you to select the Forwarded Events log?
Putting the DC agent on a pair of event collection servers looking at the Forwarded Events log vs. doing WMI calls to the DCs or installing DC agents on all the DCs seems like a much better option.
11-21-2017 07:32 AM
In theory, this should be possible to do which would allow for greater scale of domain controllers beyond the 100 limit that exists today. The reason it currently isn't supported is because we didn't QA that use case prior to the release of ISE / PIC 2.2. I'll forward your feedback to the PM team. Thanks!
Regards,
-Tim
11-21-2017 07:59 AM
Yeah the user story for doing this would be highly appealing I think. In my discussions with customers, the permissions needed for WMI polling of the DCs or installing an agent on their DCs are not appealing options. Installing an agent on a member server acting as a log collector is an easy sell.
Thanks for the quick response Tim.
Paul Haferman
Office- 920.996.3011
Cell- 920.284.9250
12-03-2018 04:43 PM
Did you ever come up with an acceptable solution for this? I'm facing the same exact issue. In my case, the client has over 80 DCs (site servers), so it's not even possible for me to set all these AD connectors in ISE. I started down the road of attempting to setup a logging server and either forwarding events to it or subscribing to all the DCs, but it looks like I can't specify the security log as a destination and I can't see a way to configure the connector to look at another log.
Thanks
Greg
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: