We have updated our Terms of Service, Code of Conduct, and Addendum.

Domain Controller security logs

Wesley Raynor
Wesley Raynor Posts: 4

Hello - I am testing out cribl stream/edge - first time user. Using version 4.1.2.

I've deployed a stream server, a single worker and a Edge node leader.

I've installed the edge node agents using the "Add/Update Edge Node" automated script.

I've done this on 5 servers in my environment to test how this would work. So far, I can see logs coming into Edge/Stream and into my siem with one exception. My domain controller is not capturing/sending any data. I have followed this: https://docs.cribl.io/stream/usecase-edge-stream as my guide for the setup. The other 4 servers are working as expected but the domain controller is not.

I dug and found at the end of an article https://docs.cribl.io/edge/sources-windows-event-logs which states to check permissions on a registry key and make sure it has read rights; I checked that and still no data. I have checked the logs found under programdata\cribl\ and nothing jumps out.

  1. cribl is now accounting for 40GBs of space on that dc in the span of 3 days; what is causing the folder to grow?
  2. what other steps are needed to get the event logs (specifically security logs) to flow? when I look at the "destination" —> cribl_tcp —> status - there is never any events in buffer, sent bytes etc