File Audit not working

September 20, 2016, 12:51 pm

We are in the process of setting ADAudit Plus up in our environment. Yesterday I worked with support for a while and they indicated that group policy was not setting the audit policies correctly on the server. I finally figured out that a setting in the ADAuditPlus group policy that the software created had to be changed and then it started auditing events.

My problem now is that some file\folder actions appear to register with the console and some do not. I have only 1 share, which is a test share, that is currently being audited. This afternoon I have tested renaming a file, deleting a file and moved files and folders and these actions are not being registered. The support tech I worked with yesterday changed my Security log size to 700MB and it is only currently at 50BM used so size and events overwriting is not a problem.

To focus on one specific test, I tested deleting a file:

- Verified that server is showing correct auditpol settings using "auditpol.exe /get /category:*"

- Verified that SACLS are correctly applied to the shared folder

- Deleted a file from the shared folder　

- Verified present of Security Log entry showing file was deleted

- Manually initiated data collection for share in question under Configured Servers->Windows File Server

- Checked both Files Deleted report and All File or Folder Changes report and no entries exist for deleted file

I would appreciate any assistance as we would really like to get this configured and begin using it, but first have to know that it is working and reporting correctly.

Thanks in advance

↧

Re : File Audit not working

September 20, 2016, 1:42 pm

≫ Next: Re : File Audit not working

≪ Previous: File Audit not working

Technically, ADAudit Plus can't skip any significant events on an event fetch interval unless a couple of following variables are to be considered.

1. Product isn't running for a while within the time events could have been overwritten

2. Size of the security log is low where 'Overwrite older events' happens very fast

3. SACLs are not set properly as recommended

4. Concerned shared folder is not added for monitoring in the tool

Having said that and most of the initial troubleshooting steps have already been done, We request the screenshot of a few settings configured,

1. Result of the following command on the added File server,

auditpol /get /subcategory:"Object Access"

2. SACLs applied for the intended shared folder

3. Security log properties

4. Please ensure the software is running as windows service on the machine where ADAudit Plus is installed

Regards,

ADAudit Plus Team

↧

Re : File Audit not working

September 20, 2016, 2:17 pm

≫ Next: Re : File Audit not working

≪ Previous: Re : File Audit not working

Thank you for the assistance. I attempted to post screenshots but it would not let me publish indicated maximum length exceeded. Here are the requested items as an attachment.

↧

Re : File Audit not working

September 20, 2016, 2:25 pm

≫ Next: Re : File Audit not working

≪ Previous: Re : File Audit not working

Thank you for sharing the details. Please let us know how far back events could hold in the event viewer. You can find that by correlating the time-stamp of first and last event of the security log.

Besides that, we would like to know the 'Event fetch interval' configured for the file server in the tool.

It seems the security log might have been overwriting pretty soon as there could be some unwanted events occupying the room.

Regards,

ADAudit Plus Team

↧

Re : File Audit not working

September 21, 2016, 6:31 am

≫ Next: Re : File Audit not working

≪ Previous: Re : File Audit not working

Currently the logs go back 5 days to 9/16/16 at 2:25 p.m.

↧

Re : File Audit not working

September 21, 2016, 8:44 am

≫ Next: PostgresSQL server failed

≪ Previous: Re : File Audit not working

We would like to take a look ourselves remotely. Please send an email to support@adauditplus.com referring to this discussion so we'd have a session.

↧

PostgresSQL server failed

September 27, 2016, 9:54 am

≫ Next: Account Lockout Analyzer

≪ Previous: Re : File Audit not working

I'm trying to upgrade an existing Win2008 ADAudit server and keep getting a information popup windows stating "Trying to start PostgresSQL sever failed at installation". After which the ManageEngine service won't restart w/ a service-specific error Incorrect function. Snapshot reversion fixed the second issue. Suggestions for resolving the first issue so I can successfully upgrade?

↧

Account Lockout Analyzer

September 27, 2016, 12:13 pm

≫ Next: Re : PostgresSQL server failed

≪ Previous: PostgresSQL server failed

I get this error on any users that with locked out accounts. I get no data on devices as well. A lot of our client are now devices like phones and apple ipads. I would like to track down devices by IP if I can't find them as windows machines.

↧

Re : PostgresSQL server failed

September 30, 2016, 1:39 am

≫ Next: Re : Account Lockout Analyzer

≪ Previous: Account Lockout Analyzer

Please follow the steps given below to configure explicit permissions over ADAudit Plus installation directory for the account used by the tool.

1. Go to install location For E.g, C:\Program Files<x86>\ManageEngine\ADAudit Plus\

2. Right click on 'ADAudit Plus' folder -> properties

3. Edit the ACEs (permissions), add the user account which is being by the tool and provide that with 'Full control' over the installation directory

4. Stop ADAudit Plus service

5. Open task manager -> terminate the processes corresponding to the tool (java.exe, postgres.exe, wrapper.exe)

6. Open command prompt (Run as Administrator)

7. Proceed to perform the upgrade as instructed

Hope it helps.

Regards,

ADAudit Plus Team

↧

Re : Account Lockout Analyzer

September 30, 2016, 1:42 am

≫ Next: Re : Account Lockout Analyzer

≪ Previous: Re : PostgresSQL server failed

We are currently working on enhancing the ability of the feature to extract information out of mobile devices as well. We'd keep you posted. As of now, if we could see any valid entry under 'Caller machine name' and if it was a windows computer, ADAudit Plus would be able to analyze the details of the situation.

Regards,

ADAudit Plus Team

↧

Re : Account Lockout Analyzer

September 30, 2016, 1:39 pm

≫ Next: Large Database

≪ Previous: Re : Account Lockout Analyzer

Yeah, I can see any messages that have Caller Machine name and can track them down its just devices....Mobile Phone, Apple Devices, Droid devices. haven't found another way to track them down at this point. Is there any other applications around that can do this? I get the information I need for auditing with your software for the rest.

↧

Large Database

October 3, 2016, 7:07 am

≫ Next: Re : Large Database

≪ Previous: Re : Account Lockout Analyzer

I have a problem with the database (SQL 2008 R2). The database grows and grows, above 85 GB. What can I do, to shrink the database?

Kind Regards

↧

Re : Large Database

October 3, 2016, 10:17 am

≫ Next: Re : Account Lockout Analyzer

≪ Previous: Large Database

Well, have you archiving enable din the product?

↧

Re : Account Lockout Analyzer

October 11, 2016, 10:28 am

≫ Next: Re : Large Database

≪ Previous: Re : Large Database

I don't think there's any other legitimate tool to perform the analysis for the user lockout caused by mobile devices or any other anomalous entity. That's actually one of the major reasons for us to have started to work on enhancing that feature.

↧

Re : Large Database

October 11, 2016, 10:36 am

≫ Next: Re : Large Database

≪ Previous: Re : Account Lockout Analyzer

Please configure 'Archiving' to restrict the database growth as follows,

1. Go to Admin tab -> Archive Events

2. Enter number of days you wish to keep the data in the database for live reporting

3. Save the settings

The data older than number of days specified will be taken off of the database, compressed and moved to the destination, however you could still generate report off of the archives on demand.

Regards,

Bruce,

ADAudit Plus Team

↧

Re : Large Database

October 12, 2016, 7:22 am

≫ Next: ADAudit+ Starting Service - AuthenticationService Failed

≪ Previous: Re : Large Database

@ Bruce -

I have enabled archiving, but the data does not seem to be removing itself from the database? The database just keeps growing in size...

↧

ADAudit+ Starting Service - AuthenticationService Failed

October 17, 2016, 12:59 am

≫ Next: Re : ADAudit+ Starting Service - AuthenticationService Failed

≪ Previous: Re : Large Database

Dear Manageengine Team,

We've installed ADAudit+ a while ago and it was working perfectly until today.

Suddenly the services starts and stops a few seconds afterwards.

What I see when I try to start the Service via startADAP.bat is the following:

Microsoft Windows [Version 6.3.9600]

C:\Users\svc.itm.daud>cd "c:\Program Files (x86)\ManageEngine\ADAudit Plus\bin"

c:\Program Files (x86)\ManageEngine\ADAudit Plus\bin>startADAP.bat

"c:\Program Files (x86)\ManageEngine\ADAudit Plus\bin\\.."

=====================Starting ADSM Server==========================

===============================================================================

SERVER_HOME: c:\Program Files (x86)\ManageEngine\ADAudit Plus\bin\\..

JAVA: "c:\Program Files (x86)\ManageEngine\ADAudit Plus\bin\\..\jre\bin\java"

JAVA_OPTS: -Xmx512m -Dcatalina.home="c:\Program Files (x86)\ManageEngine\ADAud

it Plus\bin\\.." -Dserver.home="c:\Program Files (x86)\ManageEngine\ADAudit Plus

\bin\\.." -Dlog.dir="c:\Program Files (x86)\ManageEngine\ADAudit Plus\bin\\.." -

Ddb.home="c:\Program Files (x86)\ManageEngine\ADAudit Plus\bin\\..\pgsql" -Djava

.library.path="c:\Program Files (x86)\ManageEngine\ADAudit Plus\bin\\..\lib\nati

ve" -Dserver.stats=10000 -Dfile.encoding="utf8" -Djava.util.logging.manager="or

g.apache.juli.ClassLoaderLogManager" -Djava.util.logging.config.file="c:\Program

Files (x86)\ManageEngine\ADAudit Plus\bin\\../conf/logging.properties" -Dserver

.stats=10000 -Dcheck.tomcatport="true" -Dhaltjvm.on.dbcrash="true" -Duser.home="

c:\Program Files (x86)\ManageEngine\ADAudit Plus\bin\\..\logs" -Dorg.apache.cata

lina.SESSION_COOKIE_NAME=JSESSIONIDADAP -Dhttps.protocols=TLSv1

===============================================================================

Starting Server from location: C:\Program Files (x86)\ManageEngine\ADAudit Plus

This copy is licensed to WH IT Services GmbH

Modules already Populated

Persistence [ LOADED ]

SQNS [ LOADED ]

Audit [ LOADED ]

Authentication [ LOADED ]

Authorization [ LOADED ]

CustomView [ LOADED ]

TaskEngine [ LOADED ]

Tomcat [ LOADED ]

adap [ LOADED ]

adsf [ LOADED ]

Creating Services

CacheService [ CREATED ]

AuthenticationService [ CREATED ]

AuthorizationService [ CREATED ]

TaskEngineService [ CREATED ]

WebService [ CREATED ]

ADAPService [ CREATED ]

ADSFService [ CREATED ]

Starting Services

CacheService [ STARTED ]

AuthenticationService [ FAILED ]

Stopping Services

CacheService [ STOPPED ]

Destroying Services

ADSFService [DESTROYED]

ADAPService [DESTROYED]

WebService [DESTROYED]

TaskEngineService [DESTROYED]

AuthorizationService [DESTROYED]

AuthenticationService [DESTROYED]

CacheService [DESTROYED]

Problem while Starting Server

System halted

Press any key to continue . . .

c:\Program Files (x86)\ManageEngine\ADAudit Plus\bin>

Could you please advise what to do here ?

Thank you very much in advance.

BR,

Chris

↧

Re : ADAudit+ Starting Service - AuthenticationService Failed

October 17, 2016, 4:25 am

≫ Next: Re : ADAudit+ Starting Service - AuthenticationService Failed

≪ Previous: ADAudit+ Starting Service - AuthenticationService Failed

Hi Chris,

Apologies for the inconvenience,

Please upload us the log files to analyze further, steps to upload log files,

1. Goto the <Installation_Folder>\ADAudit Plus\logs and compress all the files to a zip archive.

2. Goto http://bonitas2.zohocorp.com

3. Fill in the necessary details

4. Click on "Add Files" and select the "Zip Archive" created previously

5. Click on "Upload"

Please don't close the browser until the upload is successful.

Please note, we generally recommend to start ADAudit Plus server as a service. Use the "InstallServiceNT.bat" under "<Installation_Folder>\ADAudit Plus\bin" to install it as a Windows service.

↧