How to monitor Active Directory LDAP logs

LDAP queries can be used to find objects that meet certain criteria in the AD database such as the list of disabled user accounts, users with empty last name, groups created within the last 30 days, and so on. Monitoring LDAP logs in Active Directory can provide handy information about LDAP queries that are run, and also about applications that frequently generate expensive or inefficient queries. It can also shed light on unsecure LDAP binds, and LDAP connection timeouts.

The following is a comparison between auditing LDAP queries using native auditing tools and ManageEngine's ADAudit Plus, a comprehensive real-time Active Directory auditing solution.

Download for FREE Free, fully functional 30-day trial
  • With Native AD Auditing

  • With ADAudit Plus

  • Login to ADAudit Plus web console.

  • Navigate to the Server Audit tab and from the LDAP Auditing section in the left pane. Some of the important reports in LDAP auditing have been shown below:

    1. Unsecure LDAP binds

    2. Number of daily unsecure LDAP bind

    3. Number of LDAP queries

    4. Recent LDAP queries

    5. Error from LDAP server

    6. Time-out LDAP connection

    You can generate the results for the time period of your choice.

  • Select the domain and click Generate.

  • Select Export As to export the report in any of the preferred formats (CSV, PDF, HTML, CSVDE and XLSX).

  • Enable LDAP auditing
    Open Registry Editor. Go to HKEY_LOCAL_MACHINE → SYSTEM → CurrentControlSet → Services → NTDS → Diagnostics. Note: Set '15 Field Engineering' to '5'. This enables Expensive and Inefficient LDAP calls to be logged in Event Viewer.

  • View the logs

    1. Unsecure LDAP binds
      Go to Event Viewer → Filter Directory Service logs to locate the event ID 2889 (Windows Server 2003 to 2012)

    2. Number of daily unsecure LDAP bind
      Go to Event Viewer → Filter Directory Service logs to locate the event ID 2887 (Windows Server 2003 to 2012)

    3. Number of LDAP queries
      Go to Event Viewer → Filter Directory Service logs to locate the event ID 1643 (Windows Server 2003 to 2012)

    4. Recent LDAP queries
      Go to Event Viewer → Filter Directory Service logs to locate the event ID 1644 (Windows Server 2003 to 2012)

    5. Error from LDAP server
      Go to Event Viewer → Filter Directory Service logs to locate the event ID 1535 (Windows Server 2003 to 2012)

    6. Time-out LDAP connection
      Go to Event Viewer → Filter Directory Service logs to locate the event ID 1317 (Windows Server 2003 to 2012)

Native auditing becoming a little too much?

Simplify LDAP auditing and reporting with ADAudit Plus.

Get Your Free Trial Fully functional 30-day trial

Here are some of the limitations to generate a report of LDAP logs in Active Directory using native auditing methods:

  • It is a complex process to obtain the required data amidst the noise.
  • It is difficult to generate the report for different time zones and date formats.

With ADAudit Plus, it is easy to obtain a report of LDAP logs in Active Directory in just a few clicks. Details like who made the search, and from which domain controller, are displayed in a simple and intuitively designed UI. This report can also be included in alert profiles to notify the IT administrators when an LDAP search is made.

Related How-tos

Request Support

Thanks

One of our solution experts will get in touch with you shortly.

    Please enter business email address
  •  
     
  • By clicking 'Send Request', you agree to processing of personal data according to the Privacy Policy.

© 2021 Zoho Corp. All rights reserved.