Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
556
Views
5
Helpful
1
Replies

SourceFire AD Agent Problems

nrunge1
Level 1
Level 1

‎07-15-2015 11:22 AM - edited ‎03-10-2019 06:24 AM

I have the SFUA 2.2 agent installed on a Server2012R2 DC. I am able to see login and logoff events in Event Viewer on that server for my AD account.

Everything looks good in the Agent UI and the I do not notice any errors in the logs. Also I can telnet to 3306 on the FireSight server.

Firewalling is completely disabled and I even went so far as to take the service account, which is a domain admin for troubleshooting purposes, and give it full rights in DCOM and WMI.

I opened up the local DB that the agent creates and I do not see it populating any user to IP mappings. It is almost like it just isn't seeing or recognizing the events in order to record them.

 

Labels:
0 Helpful
1 Reply 1

nrunge1
Level 1
Level 1

‎07-17-2015 08:55 AM

I was able to resolve this with TAC. The problem was with our Group Policy settings for auditing.

In Server 2012 Advanced Auditing was made available and apparently one of our admins turned that feature on and did not have it check for login/logoff. 

That policy overrides the basic audit policy and effectively disabled the auditing. 

So I was seeing login events on the Domain Controller but they were specifically Kerberos ticket requests which is not the event ID that the software looks for. 

I do not believe that it is documented anywhere but the FireSight Agent looks for events 4624 and 4634. 

TAC was actually very helpful in assisting me. 

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card