NetVizura is capable of detecting end user activity in the company network. Mapping user's actual username with IP addresses allows to keeping logon events tracks of end users. Logon events could be generated by Domain Controllers or Work Stations relayed via Syslog to NetVizura server. We use Windows Domain Controller in our example.
NetVizura comes with predefined matching rules for Snare Open Source Syslog agent. For detailed explanation on how to install and configure Snare Syslog agent see Installing and Configuring Syslog Agent for End User Traffic. |
* MSWinEventLog * 4624 Microsoft-Windows-Security-Auditing * Success Audit * Logon Type: 3 * Account Name: <USERNAME> * Account Domain: <DOMAIN> * Source Network Address: <USER-IP> * |
Navigate to Netvizura Eventlog module and choose Syslog tab. Identify syslog message with logon information. This log should contain:
IP address of domain controller that exports Syslogs - type IP address into Exporter text box and press Enter
Steps for creating correct match string :
In upper right corner of Netvizura application navigate to cogwheel > Settings > NetFlow Settings > End Users:
To check results of your work, navigate to NetFlow > End Users. If the three is empty, refresh your web browser with ctrl+F5.
In order to improve user mapping and system performance, we recommend to set status as inactive for all rules that are not in use. |
Specifying too broad subnet in the Source IP field might result in performance penalty. For best results consider changing Source IP to more specific value or concrete IP address. |
Use help button: Move your cursor under the question mark on the screen for additional help. |
You can easily verify the rule by clicking Verify button. Your rule will be automatically applied to check if any Syslog message received during the last 24 hours matches the rule. |