How to monitor active directory ldap logs

How to monitor Active Directory LDAP logs

LDAP queries can be used to find objects that meet certain criteria in the AD database such as the list of disabled user accounts, users with empty last name, groups created within the last 30 days, and so on. Monitoring LDAP logs in Active Directory can provide handy information about LDAP queries that are run, and also about applications that frequently generate expensive or inefficient queries. It can also shed light on unsecure LDAP binds, and LDAP connection timeouts.

The following is a comparison between auditing LDAP queries using native auditing tools and ManageEngine's ADAudit Plus, a comprehensive real-time Active Directory auditing solution.

Free, fully functional 30-day trial

With Native AD Auditing
With ADAudit Plus

Login to ADAudit Plus web console.
Navigate to the Server Audit tab and from the LDAP Auditing section in the left pane. Some of the important reports in LDAP auditing have been shown below:
1. Unsecure LDAP binds
2. Number of daily unsecure LDAP bind
3. Number of LDAP queries
4. Recent LDAP queries
5. Error from LDAP server
6. Time-out LDAP connection
You can generate the results for the time period of your choice.
Select the domain and click Generate.
Select Export As to export the report in any of the preferred formats (CSV, PDF, HTML, CSVDE and XLSX).

Enable LDAP auditing
Open Registry Editor. Go to HKEY_LOCAL_MACHINE → SYSTEM → CurrentControlSet → Services → NTDS → Diagnostics. Note: Set '15 Field Engineering' to '5'. This enables Expensive and Inefficient LDAP calls to be logged in Event Viewer.
View the logs
1. Unsecure LDAP binds
  Go to Event Viewer → Filter Directory Service logs to locate the event ID 2889 (Windows Server 2003 to 2012)
2. Number of daily unsecure LDAP bind
  Go to Event Viewer → Filter Directory Service logs to locate the event ID 2887 (Windows Server 2003 to 2012)
3. Number of LDAP queries
  Go to Event Viewer → Filter Directory Service logs to locate the event ID 1643 (Windows Server 2003 to 2012)
4. Recent LDAP queries
  Go to Event Viewer → Filter Directory Service logs to locate the event ID 1644 (Windows Server 2003 to 2012)
5. Error from LDAP server
  Go to Event Viewer → Filter Directory Service logs to locate the event ID 1535 (Windows Server 2003 to 2012)
6. Time-out LDAP connection
  Go to Event Viewer → Filter Directory Service logs to locate the event ID 1317 (Windows Server 2003 to 2012)

Native auditing becoming a little too much?

Simplify LDAP auditing and reporting with ADAudit Plus.

Get Your Free Trial Fully functional 30-day trial

Here are some of the limitations to generate a report of LDAP logs in Active Directory using native auditing methods:

It is a complex process to obtain the required data amidst the noise.
It is difficult to generate the report for different time zones and date formats.

With ADAudit Plus, it is easy to obtain a report of LDAP logs in Active Directory in just a few clicks. Details like who made the search, and from which domain controller, are displayed in a simple and intuitively designed UI. This report can also be included in alert profiles to notify the IT administrators when an LDAP search is made.

Active Directory auditing

Windows file auditing

NAS device file auditing

Windows server auditing

Workstation auditing

Entra ID auditing

All features →

Help documents

Video zone

Webinars

Product brochures

Case studies

E-books

Awards zone

Study

How tos

Best practices

With Native AD Auditing

With ADAudit Plus

Related How-tos

Request 1-on-1 demo

Thanks

ADAudit Plus Trusted By

Meet all auditing and IT security needs with ADAudit Plus.

A single pane of glass for complete Active Directory Auditing and Reporting