1-949-407-5125
ALE is showing an audit status of "Logon auditing is disabled, some functionality will be unavailable for this DC. Please turn on auditing of invalid logons in audit policy settings for this DC.". This has been working properly for quite some time. I suspect it has something to do with installing a trial of Netwrix Auditor. That product is showing when an account gets locked out, but ALE is not.
Audit Status - Logon auditing is disabled
Started by
ddockter
, Apr 19 2018 04:08 PM
6 replies to this topic
#2
AndreyK
-
- Members
-
- 15 posts
Member
Posted 23 April 2018 - 09:51 AM
Hello,
Did you check this article: https://www.netwrix.com/kb/1571 ?
This might have to do with Advanced Audit Policy settings vs Basic ones. ALE is checking Basic settings while Netwrix Auditor by default configures Advanced: https://helpcenter.n.../AD_Manual.html
The best way to check if auditing is configured on the DC is running an elevated command prompt and executing the following command: auditpol /get /category:*
Note that your DC must be 2008 or newer to run this command.
However I still find it strange that ALE has stopped showing lockouts since it shouldn't really matter which policies are configured - the most important thing is that events are logged. Please check if Security Event logs on your DCs are logging the following event ids: https://www.netwrix.com/kb/1348
Hope this helps.
AndreyK
#3
ddockter
-
- Members
-
- 4 posts
Newbie
Posted 24 April 2018 - 04:24 PM
Below are the results of auditpol /get /category:*.
F:\>auditpol /get /category:*
System audit policy
Category/Subcategory Setting
System
Security System Extension No Auditing
System Integrity No Auditing
IPsec Driver No Auditing
Other System Events No Auditing
Security State Change Success and Failure
Logon/Logoff
Logon Success and Failure
Logoff Success and Failure
Account Lockout No Auditing
IPsec Main Mode No Auditing
IPsec Quick Mode No Auditing
IPsec Extended Mode No Auditing
Special Logon No Auditing
Other Logon/Logoff Events Success and Failure
Network Policy Server No Auditing
Object Access
File System No Auditing
Registry No Auditing
Kernel Object No Auditing
SAM No Auditing
Certification Services No Auditing
Application Generated No Auditing
Handle Manipulation No Auditing
File Share No Auditing
Filtering Platform Packet Drop No Auditing
Filtering Platform Connection Failure
Other Object Access Events No Auditing
Detailed File Share No Auditing
Privilege Use
Sensitive Privilege Use No Auditing
Non Sensitive Privilege Use No Auditing
Other Privilege Use Events No Auditing
Detailed Tracking
Process Termination No Auditing
DPAPI Activity No Auditing
RPC Events No Auditing
Process Creation No Auditing
Policy Change
Audit Policy Change No Auditing
Authentication Policy Change No Auditing
Authorization Policy Change No Auditing
MPSSVC Rule-Level Policy Change No Auditing
Filtering Platform Policy Change No Auditing
Other Policy Change Events No Auditing
Account Management
User Account Management No Auditing
Computer Account Management No Auditing
Security Group Management No Auditing
Distribution Group Management No Auditing
Application Group Management No Auditing
Other Account Management Events No Auditing
DS Access
Directory Service Changes No Auditing
Directory Service Replication No Auditing
Detailed Directory Service Replication No Auditing
Directory Service Access No Auditing
Account Logon
Kerberos Service Ticket Operations Success and Failure
Other Account Logon Events No Auditing
Kerberos Authentication Service Success and Failure
Credential Validation Success and Failure
#4
AndreyK
-
- Members
-
- 15 posts
Member
Posted 24 April 2018 - 04:34 PM
ALE relies on events from the Account Management / User Account Management subcategory which is set to 'No Auditing' as per auditpol.
Please enable that subcategory (or the whole Account Management category) for Success on all DCs and see if it helps.
AndreyK
#5
ddockter
-
- Members
-
- 4 posts
Newbie
Posted 24 April 2018 - 06:14 PM
Below is the audit policy now. ALE is still showing the "Logon auditing is disabled" message.
Microsoft Windows [Version 6.1.7601]
Copyright © 2009 Microsoft Corporation. All rights reserved.
F:\>gpupate /force
'gpupate' is not recognized as an internal or external command,
operable program or batch file.
F:\>gpupdate /force
Updating Policy...
User Policy update has completed successfully.
Computer Policy update has completed successfully.
F:\> auditpol /get /category:*
System audit policy
Category/Subcategory Setting
System
Security System Extension No Auditing
System Integrity No Auditing
IPsec Driver No Auditing
Other System Events No Auditing
Security State Change Success and Failure
Logon/Logoff
Logon Success and Failure
Logoff Success and Failure
Account Lockout No Auditing
IPsec Main Mode No Auditing
IPsec Quick Mode No Auditing
IPsec Extended Mode No Auditing
Special Logon No Auditing
Other Logon/Logoff Events Success and Failure
Network Policy Server No Auditing
Object Access
File System No Auditing
Registry No Auditing
Kernel Object No Auditing
SAM No Auditing
Certification Services No Auditing
Application Generated No Auditing
Handle Manipulation No Auditing
File Share No Auditing
Filtering Platform Packet Drop No Auditing
Filtering Platform Connection Failure
Other Object Access Events No Auditing
Detailed File Share No Auditing
Privilege Use
Sensitive Privilege Use No Auditing
Non Sensitive Privilege Use No Auditing
Other Privilege Use Events No Auditing
Detailed Tracking
Process Termination No Auditing
DPAPI Activity No Auditing
RPC Events No Auditing
Process Creation No Auditing
Policy Change
Audit Policy Change No Auditing
Authentication Policy Change No Auditing
Authorization Policy Change No Auditing
MPSSVC Rule-Level Policy Change No Auditing
Filtering Platform Policy Change No Auditing
Other Policy Change Events No Auditing
Account Management
User Account Management Success
Computer Account Management Success
Security Group Management Success
Distribution Group Management Success
Application Group Management Success
Other Account Management Events Success
DS Access
Directory Service Changes No Auditing
Directory Service Replication No Auditing
Detailed Directory Service Replication No Auditing
Directory Service Access No Auditing
Account Logon
Kerberos Service Ticket Operations Success and Failure
Other Account Logon Events No Auditing
Kerberos Authentication Service Success and Failure
Credential Validation Success and Failure
F:\> auditpol /get /category:*
System audit policy
Category/Subcategory Setting
System
Security System Extension No Auditing
System Integrity No Auditing
IPsec Driver No Auditing
Other System Events No Auditing
Security State Change Success and Failure
Logon/Logoff
Logon Success and Failure
Logoff Success and Failure
Account Lockout No Auditing
IPsec Main Mode No Auditing
IPsec Quick Mode No Auditing
IPsec Extended Mode No Auditing
Special Logon No Auditing
Other Logon/Logoff Events Success and Failure
Network Policy Server No Auditing
Object Access
File System No Auditing
Registry No Auditing
Kernel Object No Auditing
SAM No Auditing
Certification Services No Auditing
Application Generated No Auditing
Handle Manipulation No Auditing
File Share No Auditing
Filtering Platform Packet Drop No Auditing
Filtering Platform Connection Failure
Other Object Access Events No Auditing
Detailed File Share No Auditing
Privilege Use
Sensitive Privilege Use No Auditing
Non Sensitive Privilege Use No Auditing
Other Privilege Use Events No Auditing
Detailed Tracking
Process Termination No Auditing
DPAPI Activity No Auditing
RPC Events No Auditing
Process Creation No Auditing
Policy Change
Audit Policy Change No Auditing
Authentication Policy Change No Auditing
Authorization Policy Change No Auditing
MPSSVC Rule-Level Policy Change No Auditing
Filtering Platform Policy Change No Auditing
Other Policy Change Events No Auditing
Account Management
User Account Management Success
Computer Account Management Success
Security Group Management Success
Distribution Group Management Success
Application Group Management Success
Other Account Management Events Success
DS Access
Directory Service Changes No Auditing
Directory Service Replication No Auditing
Detailed Directory Service Replication No Auditing
Directory Service Access No Auditing
Account Logon
Kerberos Service Ticket Operations Success and Failure
Other Account Logon Events No Auditing
Kerberos Authentication Service Success and Failure
Credential Validation Success and Failure
F:\>
#6
ddockter
-
- Members
-
- 4 posts
Newbie
Posted 24 April 2018 - 08:28 PM
I just got an Account Lockout email from ALE so this appears to be working despite the "Logon auditing is disabled" message still being present.
#7
AndreyK
-
- Members
-
- 15 posts
Member
Posted 26 April 2018 - 12:18 PM
If you are confident that auditing is properly configued on your DCs (and your auditpol looks correct), you can disable audit checks in ALE which should remove the error message from the status bar. Please see the last section of https://www.netwrix.com/kb/1571
