• State Suggested Answer
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 14 subscribers
  • Views 4605 views
  • Users 0 members are here
Options
Related

netlogon.log

wade
over 4 years ago

Trying to ingest netlogon.log file into intrust. When Debugging is enabled for netlogon, see: https://support.microsoft.com/en-us/help/109626/enabling-debug-logging-for-the-netlogon-service , the file is filled with information that I'd like to get into intrust . I'm quickly realizing I don't have the chops to do an advanced data source with regular expressions. is there any information not available in the Intrust documentation for how to import custom text logs using regular expressions?  This file would be a good one for intrust to include as a default in future releases.

Regards

wade

  • 0 over 4 years ago

    Hi wade,

    InTrust is able to collect simple text logs with regular expressions, the document is here https://support.quest.com/technical-documents/intrust/11.4.1/auditing-custom-logs-with-intrust. There is a concern with this netlogon.log file, it is not that simple, events are split to multiple lines. So my first question is, do you plan to collect all categories of the events (I mean INIT, LOGON, SITE, etc) or only some of them, and is it acceptable that each line in the file will become a separate event? Because it is impossible to collect multi-line events out of the box at the moment.

    Thank you.

  • 0 over 4 years ago in reply to Igor.Ilyin

    it would be acceptable for each line to be a separate event. My current need is to process the entire file but it would be nice to understand how to filter based on those bracketed items in the file.

  • 0 over 4 years ago in reply to wade

    Hi wade,

    I've attached zip file containing the solution. Please follow the readme file, also described here:

    Solution

    Collect Netlogon Debug Log.
    The supported format is:
        Date Time [Category] [PID] Message
    Example:
        08/15 09:39:53 [MISC] [900] Logfile truncated because it was larger than 50000 bytes

    Notes

    1. Enable Netlogon: Nltest /DBFlag:2080FFFF, net stop netlogon, net start netlogon. Disable Netlogon: Nltest /DBFlag:0x0, net stop netlogon, net start netlogon.
    2. Due to the log rollover collecting the live netlogon.log does not make sense, because we don't know the moment of rollover and might lose events. The workaround is to collect the backup file netlogon.bak.
    3. Please adjust MaximumLogFileSize registry parameter in your registry and/or the task schedule period so that the task triggers more often than the file is rewritten.
    4. InTrust cannot collect multiline events and lines without date. As a result each line beginning from date will represent a separate event, and lines without date will be skipped.
    5. The line is broken into 4 parts:
        Date Time goes to "Insertion String #1" and into fields "Time" and "When"
        Category goes to "Insertion String #2" and "Category"
        PID goes to "Insertion String #3"
        Message goes to "Insertion String #4"
        The above 4 parts altogether go to "Description"
    Also, the following fields are filled up:
        Agent computer name goes to "Source Computer"
        0 goes to "Event ID"
        "Netlogon" goes to "Log"
        "netlogon debug" goes to "Source"

    Setup

    1. Create a Site in InTrust Manager which contains the network objects you want to collect Netlogon log from.
    2. Create a Repository for Netlogon log or pick one from the existing configuration.
    3. Find out the tool InTrustPDOImport.exe in the InTrust installation folder or on InTrust DVD.
    4. Copy cmd file and 2 xml files to the folder where InTrustPDOImport.exe reside.
    5. Open command prompt as administrator and under account with InTrust Administrator privileges run InTrustPDOImport_ImportNetlogon.cmd (the correct result would be "Import finished" twice):

    E:\Program Files (x86)\Quest\InTrust\Server\ADC\SupportTools>InTrustPDOImport_ImportNetlogon.cmd

    E:\Program Files (x86)\Quest\InTrust\Server\ADC\SupportTools>InTrustPDOImport.exe -import "Netlogon Debug Log Data Source.xml"
    Quest InTrust PDO Import Utility version 11.4.1.4837
    Copyright 2018 Quest Software Inc. ALL RIGHTS RESERVED.

    Importing ...
    Import finished.

    E:\Program Files (x86)\Quest\InTrust\Server\ADC\SupportTools>InTrustPDOImport.exe -import "Netlogon Debug Log Gathering Policy.xml"
    Quest InTrust PDO Import Utility version 11.4.1.4837
    Copyright 2018 Quest Software Inc. ALL RIGHTS RESERVED.

    Importing ...
    Import finished.

    6. Refresh (or reopen) InTrust Manager and locate the new policy named "Netlogon Debug Log" under Gathering | Gathering Policies | Microsoft Windows Network.
    7. Right click on it and "Apply to Site". Pick the Site mentioned in the step 1. Create new schedule. To run the task every hour set "Repeat Task every 1 hour, with duration 24 hours".
    8. Enable schedule.
    9. Pick the repository to collect to.
    10. Finish the wizard and commit all changes (right click on Quest InTrust Manager root node, Commit).
    11. After the first successful gathering session open Repository Viewer and observe the repository you collect to. Create a custom Search with a layout containing fields mentioned in the note #5.

    3125.NetlogonDebugLog.zip

  • 0 over 4 years ago in reply to wade

    Please download the zip file from site, not from email, the file was updated.

  • 0 over 4 years ago

    Hi Wade, for me it would be very useful if you can share with us some of the use cases for this log, which information you see as the most valuable from this log? Thanks