Page 1 of 2 12 LastLast
Results 1 to 10 of 15
  1. #1
    Untanglit
    Join Date
    Nov 2016
    Location
    Grafton, Australia
    Posts
    29

    Default No User API Events with AD Monitor

    UT Build: 13.2.1
    AD Monitor 1.10.29
    Single Windows Server 2008 R1 DC/AD

    I support a school and they have been running UT with Logon Scripts connector for a number of years.

    Following some isolated performance issues with the scripts, today I tried to install AD Monitor for them.

    I installed AD Monitor and when the TEST button is clicked it reports "SUCCESSFUL", and I can see LOGON / UPDATE API events in the Directory Connector log for the Admtest user. However, no user events are getting into the API logs when real users log on.

    As per the installation notes, there is no option in my Local Security Policy to enable Advanced Audit Features. Given that I can see API events from the TEST button, would this behaviour be consistent with the known Audit Features issue ? and if so, is there any work-around (we don't have any other AD server) ?


    Thanks

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    6,967

    Default

    Do you see the computer login events on the AD server?
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untanglit
    Join Date
    Nov 2016
    Location
    Grafton, Australia
    Posts
    29

    Default

    Thanks for the quick response. Yes, when a user logs on to a domain computer, I see several loggings as follow in Event Viewer (Security)

    Event 4768 A Kerberos authentication ticket (TGT) was requested.
    Event 4769 A Kerberos service ticket was requested.
    Event 4769 A Kerberos service ticket was requested.
    Event 4769 A Kerberos service ticket was requested.
    Event 4624 An account was successfully logged on.

    This same Audit sequence gets repeated for both the user and the computer, both streams show AUDIT SUCCESS.

    I have attached a screenshot of some of these loggings.

    ScreenHunter 08.jpg

  4. #4
    Untangler cblaise's Avatar
    Join Date
    Jul 2014
    Location
    Burlington, VT
    Posts
    99

    Default

    No, the test button generates a "fake" the event. It doesn't send anything to the AD server to do a "true" login.

    From your log the AD server is generating event #4768 which is what the AD monitor looks for. So it certainly looks like it should be working.

    In the AD monitor install directory there should be two log files (log.txt, loginlog.txt). Do you see anything in those logs?

  5. #5
    Untanglit
    Join Date
    Nov 2016
    Location
    Grafton, Australia
    Posts
    29

    Default

    Thanks. I can only see one logfile (log.txt) in the folder. I did not find loginlog.txt.
    I uninstalled and re-installed but no change.
    I didn't see any error messages in the log file, below is a snippet of the last few entries.

    018-07-18 23:44:21 : [2316] [Settings] _MonitorLib_SendNotify: "C:\Program Files\Untangle Active Directory Monitor\GnuWin32\wget.exe" -O NUL http://192.168.0.1:80/userapi/regist...3&action=login --no-check-certificate --tries=1 --timeout=10 --connect-timeout=5
    2018-07-18 23:59:28 : [22360] [Notify] Started
    2018-07-18 23:59:28 : [22360] [Notify] -------------------- Start Options Begin ----------------------
    2018-07-18 23:59:28 : [22360] [Notify] Untangle Active Directory Monitor Notify Version: 0.1.10.39
    2018-07-18 23:59:28 : [22360] [Notify] SendNotify : Enabled
    2018-07-18 23:59:28 : [22360] [Notify] OS : WIN_2008
    2018-07-18 23:59:28 : [22360] [Notify] OS Type : WIN32_NT
    2018-07-18 23:59:28 : [22360] [Notify] OS Build : 6002
    2018-07-18 23:59:28 : [22360] [Notify] OS Architecture : X64
    2018-07-18 23:59:28 : [22360] [Notify] Server Domain : STANDREWS
    2018-07-18 23:59:28 : [22360] [Notify] Server Name : STANADM01
    2018-07-18 23:59:28 : [22360] [Notify] -------------------- Start Options End ----------------------

  6. #6
    Untangler cblaise's Avatar
    Join Date
    Jul 2014
    Location
    Burlington, VT
    Posts
    99

    Default

    The usernames don't have dollar signs ($) in them, do they? The monitor will ignore them.

    Do you have any IP or user exemptions defined?

  7. #7
    Untanglit
    Join Date
    Nov 2016
    Location
    Grafton, Australia
    Posts
    29

    Default

    Thanks. Usernames definitely do not have any $ signs in them. Below is a typical 4768 event from a user.

    There are also definitely no exemptions in the AD Monitor Setup

    ScreenHunter_722 Jul. 19 07.13.jpg

  8. #8
    Untangler cblaise's Avatar
    Join Date
    Jul 2014
    Location
    Burlington, VT
    Posts
    99

    Default

    Look at /var/log/uvm/apps.log. Tail it when logging in and see if the app showing any kind of rejection message on logins.

  9. #9
    Untanglit
    Join Date
    Nov 2016
    Location
    Grafton, Australia
    Posts
    29

    Default

    Thanks. I am currently supporting the school remotely, and won't be onsite for 1 week. I normally use an RDC connection to the Domain Controller and I access UT through a browser session from there.

    I don't know how to access /var/log/uvm/ from a remote session, but I did manage to find an apps.log file via the console. (In System Logs.Zip - via CONFIG ==> SYSTEM ==> SUPPORT ==> DOWNLOAD SYSTEM LOGS ). Is this the same log as your suggestion above ? It looks somewhat verbose - are there keywords I should be looking for ? (I could not find any reference to AD Monitor / API / LOGON in a text search of that file.)
    Last edited by Pilotpak; 07-19-2018 at 08:40 PM.

  10. #10
    Untanglit
    Join Date
    Nov 2016
    Location
    Grafton, Australia
    Posts
    29

    Default

    Hi, I notice that there are 2 Debug / output settings in the AD Monitor ini file that are currently set to False. Would turning these Debugs on help us get some more info on the error ?

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2