Questions - logs from Domain controllers only or all servers?

JPCERTCC / LogonTracer

Investigate malicious Windows logon by visualizing and analyzing Windows event log

Other

2.72k stars 442 forks source link

Questions - logs from Domain controllers only or all servers? #105

Closed godstoge closed 3 years ago

godstoge commented 3 years ago

When you refer to the use of "Active Directory logs" - do you mean security.evtx from domain controllers only? Or do you mean security.evtx from all domain-joined servers?

The reason I ask is because in IR engagements we often see Domain controller's security.evtx contains only a few hours of data due to log size limitations.

shu-tom commented 3 years ago

We are analyzing DC security.evtx. However, the login event log also record in the server, so you can analyze it with LogonTracer.