Log collectors, authentication on windows evironments

nikolai_thoftgaard_jensen · November 21, 2023, 1:14pm

Hi,

When setting up the event source for eg. Active directory per Active Directory | InsightIDR Documentation and you use the WMI, what kind of authentication protocol is used? As far as i can tell it is using NTLM, we are currently in a process of eliminating all NTLM authentication in favor of kerberos it also the case where it uses SMB to get a log file in eg. Microsoft DNS, but i cannot seem to find anything that says the log collector would support kerberos in the various event sources where it uses WMI or SMB.

Any help would be much appreciated.

david_smith · November 22, 2023, 5:23am

We currently only support NTLM, adding support for Kerberos is something we have an open enhancement request for.

nkershaw1 · November 28, 2023, 6:03pm

This is one of the reasons we use log shipping via NXLog instead.

It would be good to know when Kerberos is available.

scourtney · June 6, 2024, 3:29pm

Is there any update on this, especially in the light of Microsoft pushing everyone to disable NTLM completely. In our environment InsightIDR is the only product that still uses NTLM V2 to connect to our domain controllers.

bcrunchant · February 27, 2025, 2:33pm

same question here, for SQL Auditing. @david_smith any update to share please?

david_smith1 · February 27, 2025, 6:03pm

We currently only support NTLM, I don’t have an ETA on when we will support Kerberos

bcrunchant · March 5, 2025, 9:25am

Thanks for your answer (it’s really sad that a security tool is using old protocols). So I guess we have to try NXLogs.