Windows Security Log Event ID 5136 not captured in InTrust

Hi,

We are gathering all domain controller security logs. we have enabled domain controller auditing via GPO.

However when searching for particular event id 5136 is not displaying the repository report. This is happening after migrating intrust version 11 to 11.3.

2016 AD we are using for business. Is there any additional configuration required for capturing 5136: A directory service object was modified. Please assist,

  • Hi mcsebala,

    No additional configuration required for capturing 5136.

    First of all please check the event is there, I mean your GPO is correct and event 5136 can be observed in Windows EventViewer on that DC.

    Second, which method of collecting do you use? If scheduled gathering via InTrust Manager, please check if any filters are in place in the gathering policy, they might prevent events from collecting. If you are using real-time collection via InTrust Deployment Manager, then events are collected without filters.

    Third, check if you are searching in the right repository and also which filters are applied in the Repository Viewer. It's better to create the simplest filter, just 1. click on the root node in the tree on the left, 2. Click "Add or Remove Parameters" in the Search Filter at the bottom, 3. Pick "Event ID" from Primary category, 4. Type 5136 in "Event ID" filter box, 5. Click ">Go"

  • No real time collection configured. only gathering we are using for collecting the logs.

    My Domain controller creates the logs 5136, In the repository report I can be able to view 3 months old 5136 event logs.

    Recent 5136 event logs not coming up when generate the report.

     

  • If you use scheduled gathering please check if any filters are in place in the gathering policy preventing events 5136 from collecting.

    Also, let's try to use the special tool instead of Repository Viewer. Please download the attachment and unpack it in any folder on InTrust Server. Please edit the name of the Repository inside the SearchFor5136.cmd file. E.g. if you repository name is "My Production Repo" the command should be:

    repquery.exe ncacn_ip_tcp:localhost[8340] "My Production Repo" "(EventID = 5136);" > Events5136.xml

    Run cmd and check the result file Events5136.xml.

    If it contains the same results as Repository Viewer report, then the root cause of your problem is within your gathering policy filter.

    If it contains all 5136 events you expect, then the root cause of your problem is within your Repository Viewer filter.

    RepQuery.zip

  • sir I tried your commands got the below info.

    C:\Users\admin\Desktop\RepQuery>RepQuery.exe ncacn_ip_tcp:localhost[8340] "InTrust_Repository" "(EventID = 5136);" > Events5136.xml

    The system cannot find the file specified

    F:\InTrust_Repository is my intrust path.

    my server:prodintrust

    domain: BB.com

    Please provide assistance

  • No, not the folder name, but the name of the repository taken from Quest InTrust Manager | Configuration | Data Stores | Repositories

  • C:\Users\admin\Desktop\RepQuery>repquery.exe ncacn_ip_tcp:localhost[8340] "\\prodintrust.bb.com\InTrust_Repository" "(EventID = 5136);" 1>Events5136.xml
    The system cannot find the file specified.

    still getting the same error.

    Correct me please

  • I cannot do this cause I do not see your desktop, please share the screenshot of Quest InTrust Manager | Configuration | Data Stores | Repositories

  • Hi,

    As we started capturing the 5136 events, the repository become full and running out of space. We have now filtered out 5136 event id with some filters on capturing the events of like changes on the global group membership, computer movement changes etc. Now we want to delete/purge the data captured without filtering.

  • Hi mcsebala,

    Sorry for delay, we've spent some time to prepare a tool for you. InTrust repository is a kind of storage intended to keep your data safe for years. So there is no such feature like delete/purge data from it. But you can copy the existing repository to another one with filters instead. Surely you need to provide plenty of space in the destination folder (at least equal to the current repository size). Please try the tool from the attachment. The example command might be the following:

    RepositoryCopy.exe -j 5136 "\\SERVER\SHARE\REPOSITORY" "\\SERVER\SHARE\REPOSITORY-5136"

    • Run the tool and wait for the repository REPOSITORY-5136 to be created
    • Attach it to the InTrust server, and if you use indexing wait until the indexing finished
    • Check that all data is in place
    • Switch the production to the new repository. The easiest way to do this is just substitute the path of the existing Repository configuration object, I mean go to your production Repository properties and change the path to the new one (e.g. "\\SERVER\SHARE\REPOSITORY" => "\\SERVER\SHARE\REPOSITORY-5136")
    • To make sure there was no data gap, you also might want to consolidate the data from the old repository to the new one for the period of transition, from the moment when you have started transition procedure to the moment when you have finished.

    20191201-RepositoryCopy.zip

    And please mark this thread as solved since you already know that Event ID 5136 can be easily captured by InTrust Slight smile