This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

STAS - intermittent issue with logging?

Anybody got this setup for UTM 9.4?

I think the issue may lay with my AD and the auditing. STAS only seems to show logons of type 2 (interactive logon) and I know lots of users are logging on but they don't seem to be registering for some reason. The one's that have registered have been added to my UTM automatically which suggests that it's working but I think my audit policy on win 2012r2 doamin controller is wrong.

Can anybody tells me what the auditing should be set at? I've followed the guides but nothing showing in STAS or windows event logs with regards to logon type 2

This thread was automatically locked due to age.

0 Louis-M over 8 years ago

What a pain this turned out to be.....

Firstly, there were conflicting GP's for recording logons. Once that was rectified, I applied the local security policy that Sophos states in their instructions with STAS.

Within a minute or two, this policy was reset and overwritten. Took me a while to trace it but on 2012r2, I had to go in via the advanced security policies and enable the auditing from there. Specifically, because it's a little different in there compared to the local security policy, you are looking to enable the kerberos auditing.

I've now got 4dc's reporting quite happily to the UTM's and adding 100's of users.
Cancel
Vote Up 0 Vote Down

Cancel
0 TingYu over 8 years ago

Hi, this is very useful, I am having similar problem, that live user shows blank.

my domain is still window 2003, I am wondering that I have both "domain controller GP" and "domain GP", they both have local policy that contain audit policy, which one should I configure, I configured both as per instruction from Sophs, but I got blank live user screen, just thinking maybe i am doing something wrong here, and I am having issue with recording logon GP.

thanks.
Cancel
Vote Up 0 Vote Down

Cancel
0 Louis-M over 8 years ago in reply to TingYu

Hi,

when you install STAS, there are tabs which allow you to test whether its connected to the domain, UTM etc.

First thing to do is to change the domain security policy. I did it on both policies (I thing the DC sescurity policy has higher preference than domain policy with regards to DC's).

Once you change that policy, you should look in windows security logs to ensure it is logging the users.

Once you have that, you should look in STAS under the last tab "show live users" to see if they are in there.

If you have users in there, configure your UTM for STAS (under users & authentication servers etc). You don't have to set any web policies at this time on the UTM.

What you are looking for is users to show up under "client authentication" on the UTM. This can be a little hit and miss even when its working. It takes a couple of clicks to show up and is intermittent even though it works in the background.
Cancel
Vote Up 0 Vote Down

Cancel
0 TingYu over 8 years ago in reply to Louis-M

HI, Louis;

Thank you for your reply.

I have connection between agent to collector, and collector to UTM, and window even log shows user log on/off. Everything seems working just I do not have anything in "live user"/advance tag.

I did use tcpdump command to find out actually the communication between collector and utm is port 6060, not 6767 as indicated in the manual. Changed port number in UTM and STAS program, still go NO users shown.

After lot of reads, I think I know why:

I am running window 2003AD, and event ID used in 2003 AD is different from 2008 AD and newer, I suspect STAS is only written for 2008 and newer, unless you know anyone got STAS working on a 2003 AD, otherwise, I think I found the reason.

What do you think?
Cancel
Vote Up 0 Vote Down

Cancel