This took me a long time to figure out, so I hope it helps others.
According to Untangle's "Active Directory Login Monitor Installation" guide (https://support.untangle.com/hc/en-u...r-Installation), only "Audit Kerberos Authentication Service" needs to be enabled in Local Security Policy in order to send login events to Untangle. This did not work for me in my environment. However, when I also enabled "Audit Other Account Logon Events" it works:
Local Security Policy.PNG
These events are in the DC's event log (Event Viewer\Windows Logs\Security).
- Event ID: 4768
- Task Category: "Kerberos Authentication Service"
- DC: Microsoft Windows Server 2012 R2 Standard (Version 6.3, Build 9600)
- Client: Microsoft Windows 10 Pro (Version 1607, Build 14393.1066)
Note: When a user logs off, it is sent to the API as an "update" action, not a "logout" action. This means that if a local user account logs in afterwards, they will fall under the previous domain user's Untangle policy. Untangle support said this is how it is: "The update event is intended and expected. No logout events."
- NG Firewall
- Solutions by Industry
- Solutions by Issue