Hi, new here. We’ve have been configuring Active directory as event source, but now we want to deploy the agent on AD instead of event source.
I went through the documentation & i think we can get additional logs through agent like logons/offs of users.
But what do you suggest? Which would be a better approach? Is there any time agent failed to collect all the logs? Would that be a problem?
We suggest the event source method, the main benefit to using the WMI event source is that the Entire security log gets collected and sent to the Raw Log logset, (along with other logs such as AD Admin Activity, Asset Authentication and Host to IP Observations.
We recommend leaving the Insight Agent Domain Controller events setting turned off, and having the agent installed on all DCs.
See here Active Directory | InsightIDR Documentation
A major caveat against using the agent in lieu of the WMI event source, is that the agent is much more likely to drop events on a busy domain controller, by busy we mean over 1 million events per day roughly.
On the other hand the WMI method has been observed to exceed 30 million events per day.
David
I don’t think we would exceed event limit. So, it’s fine.
I just want to know, Logs captured through agent method are sufficient and eventids on both methods are sufficient.
AlsoThis setting allows the Insight Agent to collect user logins, login failures, and password changes for all endpoints managed by domain controllers that the Insight Agent is installed on. These logs are generated by Event source method too, right? In future we want to follow 1 method only not both.
We don’t want to miss any events if we do agent method, don’t want to not setup service account. That happens? explanation of any scenario would be great.
Sorry if it was a dumb qns!!
We were using both agents DC log collection and WMI. The DC log collection triggered too much impact on our DCs so we decided to turn that part off as the WMI log collection was already collecting everything.
Just quick note: the main drawback to this is that the WMI collection does not really support automated redundancy (while the agent does)