+2Hello,
I have a bindplane configuration that collects logs from Active Directory and Windows Events. However, I noticed that some events are not being sent to the blindplane, but are generated on the server.
For example, event 4740. I can see this event in the event viewer, but at no point is it consumed by the bindplane.
What could be causing these events not to be brought in?
Best answer by bitshock1015
Hello
I identified where the problem was. I checked the logs of the Bindplane remote agents and found that they were unable to post to googleapis.com URLs. We created a release rule in the firewall to allow communication, and the logs arrived successfully.
What was happening was that, since one of the client's DCs was on AWS, the logs were arriving without any problems. When we searched for the on-premises DCs, there were no logs in Chronicle, but they were visible in the local Bindplane.
Thank you very much for your attention
Regards,
Renato Ferreira
Hi, I am one of the Customer Engineers at Bindplane and am taking a look at your issue. When you are saying that you are not seeing the Events, does that mean you are not the corresponding Events on the Bindplane processor nodes or are we just not seeing it in the Destination (I’m assuming Google SecOps)?
Also, are you doing any processing of the mentioned data or are we still building out the pipeline?
+2Hello
I identified where the problem was. I checked the logs of the Bindplane remote agents and found that they were unable to post to googleapis.com URLs. We created a release rule in the firewall to allow communication, and the logs arrived successfully.
What was happening was that, since one of the client's DCs was on AWS, the logs were arriving without any problems. When we searched for the on-premises DCs, there were no logs in Chronicle, but they were visible in the local Bindplane.
Thank you very much for your attention
Regards,
Renato Ferreira
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.