Do you have changes that are occurring in Active Directory that you want to be made aware of immediately? I know you do! When I say immediately, I don’t mean in the next 3 to 5 minutes. I mean right now.
And right now, ADAudit Plus can give you that immediate awareness thanks to a process based on Microsoft technology that Windows servers understand. The technology take advantage of an API designed for event viewer, which has been available for quite a while. The technology uses a pull subscription model in which each domain controller sends a signal to the centralized server when there are events registered that match the ADAP query criteria.
The ADAudit Plus server, which is the collector, keeps a constant “state change” pulse on the security log on each domain controller by using this API provided by Microsoft. Once the security log changes on any of your domain controllers, the event is immediately sent to the collector. The benefits are that there is no impact on the domain controller and even if the domain controller is down for a short time, past events are still sent to the collector when it returns online.
Why is this so revolutionary? Well, most technologies work on a schedule basis to gather events from domain controllers. This schedule is typically in the range of 5 to 30 minutes. If you have alerts associated with certain Active Directory changes, the alert might not get triggered for up to 5 minutes after the change, which could be too late depending on the change and potential attack the domain controller is under.
With ADAudit Plus, alerts are real-time and an email can be sent to you just seconds after a key Active Directory change has been made.
By default, ADAudit Plus keeps the updates on a schedule, but you can easily change this. You just need the latest version of ADAudit Plus, build 4650, in order to make the change. The change is manual so that you, the administrator, can control which domain controllers work in real time and can know exactly when the real-time, continuous auditing is enabled.
To enable the real-time auditing, you need to update the ADAudit Plus database , which is best done with a ManageEngine tech support person (email@example.com). This will ensure you have enabled the correct setting on all of the domain controllers. Figure 1 illustrates what you will be updating. (Note: You can see that, by default, real-time auditing is not enabled.).
To configure real-time auditing, you need to set each domain controller to real time in the Fetch Mode drop down list. So if you have 10 domain controllers, you will need to run the update 10 times. Figure 2 shows you what each drop down list should say if I am updating a server named server100.
After you update each domain controller you are now running in real-time mode. This means that any alert you have associated with changes in Active Directory will be real-time, with no delay! I will be honest and say that this is a “game changer” for any company that needs to know when key changes occur in Active Directory, which is every company!
The original article/video can be found at ADAudit Plus Updated Release: Real-Time, Continuous Auditing of Active Directory Changes