I have multiple Domain Controllers linked in to insightidr but only one DC has the log source for admin activity. It also has no events. Do i need to change logging settings on my DC’s or something?
Hi jrivera,
Log files for event sources will only be created when InsightIDR ingests events that match the type of event category i.e asset authentication, admin activity, raw logs.
It would seem that your DC that is displaying Admin Activity, at one point did generate an event(s) that matched this criteria to be categorised as Admin Activity i.e account unlock, password reset
I recommend checking the Audit Policy currently in place across your DCs - you can follow our documentation here for steps on this - Troubleshooting Active Directory | InsightIDR Documentation
or you can also execute this command below to view the current audit policy settings for all audit policies in command line
Auditpol.exe /get /category:*
You will very clearly see if there is a category of Audit Category that is set to No Auditing such as Account Management (Admin Activity events) or Log On/Log Off (Asset Auth events) if so follow the documentation above to change to Success and/or Failure auditing.
If you need any further assistance please open a Support case and we will investigate.
Thanks
Sean