Domain Controller security logs

Wesley Raynor

Hello - I am testing out cribl stream/edge - first time user. Using version 4.1.2.

I've deployed a stream server, a single worker and a Edge node leader.

I've installed the edge node agents using the "Add/Update Edge Node" automated script.

I've done this on 5 servers in my environment to test how this would work. So far, I can see logs coming into Edge/Stream and into my siem with one exception. My domain controller is not capturing/sending any data. I have followed this: https://docs.cribl.io/stream/usecase-edge-stream as my guide for the setup. The other 4 servers are working as expected but the domain controller is not.

I dug and found at the end of an article https://docs.cribl.io/edge/sources-windows-event-logs which states to check permissions on a registry key and make sure it has read rights; I checked that and still no data. I have checked the logs found under programdata\cribl\ and nothing jumps out.

1. cribl is now accounting for 40GBs of space on that dc in the span of 3 days; what is causing the folder to grow?
2. what other steps are needed to get the event logs (specifically security logs) to flow? when I look at the "destination" —> cribl_tcp —> status - there is never any events in buffer, sent bytes etc

Srinivasa Kotikelapudi

Wondering if you tried capturing events at the source (Windows Event Log) on that domain controller to see if something is wrong. You can teleport and capture as well.

Wesley Raynor

https://community.cribl.io/discussion/comment/423#Comment_423

This is fairly new to me so not sure what teleporting means. If its where you can dive into the device from cribl edge from list view, then yes I have done that and I still see no data there. Suspecting it may be a permissions issue, I ran the Cribl edge service with an all god account for testing and still nothing - so there must be some additional config for DCs that I am not seeing.

Srinivasa Kotikelapudi

Not sure if this helps, but I found a few articles on the web. May be Edge user needs permissions to access this log ?

https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.2/administration/GUID-1B25B366-4D4F-48C1-AA32-DAA4C384756C.html

Brendan Dalpe

Hi @Wesley Raynor,

1. Have you opened a support case?
2. When you say "isn't collecting data", what data are you referring to? Which logging channels? Which files?
3. Do you see the Edge Node connected to the Leader in the list of Nodes?
4. Do you have PQ enabled?

Wesley Raynor

https://community.cribl.io/discussion/comment/425#Comment_425

That was the first thing I checked. Thanks for the suggestion.

Wesley Raynor

https://community.cribl.io/discussion/comment/426#Comment_426

1. No - I am trying cribl out, they referred me to the community hence my current question
2. the data being referred to: Application/System/Security logs
3. Yes - its connected
4. No- since I am just doing a poc I did not invest the time in getting that in place as I may not end up using this. - This could possibly account for the growth in files under the cribl folder….which I do not recall setting up.

Thanks for the response.