No description, website, or topics provided.
Switch branches/tags
Nothing to show
Clone or download
reighnman resolves #2
Remove facility specification
Latest commit b1a4ea0 Dec 3, 2015
Failed to load latest commit information.
LICENSE initial push Sep 23, 2015 require leading wildcard searches Oct 7, 2015
content_pack.json resolves #2 Dec 3, 2015

Active Directory Auditing Content Pack

Tested with nxLog/Windows 2008R2 Domain Controllers/Graylog 1.2

This content pack provides several useful dashboards for auditing Active Directory events:

  • DNS Object Summary - DNS Creations, Deletions
  • Group Object Summary - Group Creations, Modifications, Deletions, Membership Changes
  • User Object Summary - Account Creations, Deletions, Modifications, Lockouts, Unlocks
  • Computer Object Summary - (in progress)
  • Logon Summary - Failed Authentication Attempts, Interactive Logins


  • Input (GELF udp 5414)
  • Failed Logon Stream (unconfigured)
  • Dashboards


  • NXLog collecting windows logs, other log collectors will work but may require modifying the searches to match the different fields outputted by other collectors
  • Domain Controller secuirty policy with the following enabled: ** Audit Account Logon Events ** Audit Account Managmenet ** Audit Logon Events ** Audit Object Access ** Audit Policy Change ** Audit System Events
  • Leading Wildcard Searches enabled in graylog.conf: allow_leading_wildcard_searches = true

NXLog Example

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension gelf>
    Module xm_gelf
<Input in>
    # For windows vista/2008 and above use:
    Module      im_msvistalog

    # For windows 2003 and earlier use the following:
    #   Module      im_mseventlog

<Output out> 
    Module      om_udp
    Port        5414
    OutputType  GELF

<Route 1>
    Path        in => out