Log LDAP access of the Active directory

Question

I am looking for a method to log ldap access of a Active Directory domain controller. I want to be able to log the username and source IP address access to both 389, and 636(encrypted).

A simple packet capture would get me the source IP, but getting the username will not be possible over ldaps so I am hoping there is some built-in auditing/debug/logging feature in Windows that will give me this information.

I know you can enable diagnostic logging, but I don't think it's what your looking for: http://support.microsoft.com/default.aspx?scid=kb;en-us;314980 — Chris S, Oct 20 '10 at 19:30

score 7 · Accepted Answer · answered Oct 20 '10 at 19:51

7

The windows Security event-log does track this, but it isn't easy to extract out of the firehose. The key markers of an LDAP login:

EventID: 4624
SubjectUserSID: S-1-5-18

The details will be lurking in these XML elements:

TargetUserName
IPAddress

If you're viewing things in the decoded text-view, the key markers are:

EventID: 4624
Network Information -> Workstation Name = name of the LDAP Server

The details will be:

Network Information -> Source Network Address
New Logon -> Account Name

The key thing that differentiates these login events from regular login events is that the ldap binds are in effect logging in TO the domain-controller in question. That's why the "Workstation Name" field is filled in.

Phrasing the search to get these events will prove tricky.

answered Oct 20 '10 at 19:51

sysadmin1138

131,083
18
173
296

This is all very helpful, but apparently this is logged differently between 2003, and 2008. I don't suppose you know what I should be looking for in the 2003 events to identify LDAP access? – Zoredache Oct 22 '10 at 22:34
@zoredache I don't have any 2003 DCs anymore, so I can't check. I'm sorry. – sysadmin1138 Oct 22 '10 at 22:57
Ah, I am working on killing off my last two, which is partly why I was curious what things are speaking LDAP to these DCs. – Zoredache Oct 22 '10 at 23:31
In general, you can get the analogous Server 2003 security event ID by subtracting 4096 from the Server 2008 event ID. In this case, you end up with an event ID of 528. http://windowsitpro.com/systems-management/q-how-can-i-find-windows-server-2008-event-ids-correspond-windows-server-2003-eve – bshacklett Dec 16 '14 at 16:08

score 0 · Answer 2 · answered Sep 02 '21 at 22:04

10 years passed, but the question asked is still relevant :)

I have created "collecting NETSTAT" powershell script. It runs netstat in a loop while you press Ctrl+C or while number of iterations is reached (specified in parameters) and collects distinct data about "client IP"/"connection protocol". Upon completion it generates .txt and .csv files containing IPs of clients connected during run on each protocol. Unfortunately doesn't show usernames - only IPs.

Link to script: https://it4it.solutions/2021/08/19/collecting-netstat/

Useful, but doesn't really get the username which I was looking for specifically in my question. — Zoredache, Sep 02 '21 at 22:18

score 0 · Answer 3 · edited Sep 04 '21 at 11:42

You need usernames.

From my experience parsing Windows security eventlog is very ignoble task. Even working with MS field engineers they sometimes don't know what some events mean.

You can play with filters parameters. Now it gathers 4624 and 4625 events + filter on sid length >10 symbols (to get rid of so called well-known SIDs ) and takes 100000 last records (if you need "unlimited" - change it to 10000000). I have tested it on Windows 2019 Server; Works well.

Here is the script:

[string]$pathToSaveFiles = $PSScriptRoot +"\"
$PSOobj4CSV = @()
$nrOfLogRecordsToProcess = 10000
$hostname = $env:computername

$CurrDateTimeStr=[DateTime]::Now.ToString("yyyyMMdd-HHmmss")
$pathToCSV = "$($pathToSaveFiles)$($CurrDateTimeStr)_$($hostname)_ldap_users_IPs.csv"
write-host "Fetching records..."
$eventList = Get-WinEvent -FilterHashtable @{logname=’security’; id=4624,4625}| Select-Object -First $nrOfLogRecordsToProcess
$i=1
$recordCount = $eventList.count
foreach($currEvent in $eventList){
    
  if ($currEvent.Properties[4].Value.Value.Length  -gt 10) { #if sid more then 10 symbols
    $PSOline = [pscustomobject]@{
        'Time'    = $currEvent.TimeCreated.ToString()
        'AccountName'  = $currEvent.Properties[5].Value
        'IP' = $currEvent.Properties[18].Value
    }
    write-host "Record $i from $recordCount time: $($currEvent.TimeCreated.ToString()) AccountName: $($currEvent.Properties[5].Value) IP: $($currEvent.Properties[18].Value)"
    $PSOobj4CSV += $PSOline
  }
  $i++
  
}
$PSOobj4CSV|export-CSV  $pathToCSV -NoTypeInformation -append  -force
Write-host "Info written to $pathToCSV file"

score 0 · Answer 4 · answered Dec 13 '15 at 12:17

0

Old question I know, but take a look at ADInsight: https://technet.microsoft.com/en-us/sysinternals/adinsight.aspx

answered Dec 13 '15 at 12:17

Steve Gore

111
2

score 0 · Answer 5 · answered Sep 04 '18 at 18:32

For only port info,

netstat 1 -an | findstr ":389"

OR

netstat 1 -an | findstr ":636"

1 means [< Interval >]

Redisplays the selected information every Interval seconds. Press CTRL+C to stop the redisplay. If this parameter is omitted, netstat prints the selected information only once.

Log LDAP access of the Active directory

5 Answers5

Linked