Collecting Active Directory audit logs

Cayosoft Guardian collects Active Directory audit logs to discover additional information about changes identified in the Active Directory domains. That information includes the original time of the change and the initiator's information. When an Active Directory domain is added to Cayosoft Guardian, configuration steps are performed to ensure that AD event logs contain the required information.

Cayosoft Guardian collects information about all recent changes from Active Directory in two steps:

1. Cayosoft Guardian connects to a preferred domain controller to retrieve recent operations performed in Active Directory since the last backup. It creates change history records representing changes in Active Directory without information about the initiator.
2. To populate the initiator for every change history record from the Active Directory, Cayosoft Guardian collects events from the event log on every domain controller.

Audit should be enabled when adding an Active Directory domain or later via Active Directory domain settings in order to collect events.

Enabling Audit

When setting the Audit switch to Enabled for an Active Directory domain, Cayosoft Guardian adds necessary access control entries (find more information about ACE and SACL with the links below) for this domain. Once access control entries are added, a domain controller starts to generate an event every time an operation is performed on an Active Directory object.

Find more information about ACE and SACL here:

• Access control lists
• 4662(S, F): An operation was performed on an object

Permissions added in Active Directory by Guardian

• Principal: Everyone,
• Flags: ContainerInherit | SuccessfulAccess,
• Rights: Delete | DeleteChild | DeleteTree | WriteProp | CreateChild | WriteDac | WriteOwner