In this article:

• Issue description

• Prerequisites

• Possible causes

• Resolution

• Related topics and articles

• How to contact support

Issue description  

This article provides troubleshooting guidance for cases where no data appears under LDAP auditing reports in ADAudit Plus. It covers common causes, verification steps, and solutions to ensure proper logging of LDAP activities.

Prerequisites

• The server where LDAP activities occur is properly configured in ADAudit Plus.

• There is proper communication between the product server and the respective machine.

• The service account has the necessary privileges assigned to avoid access denial errors.

• The audit policies required for LDAP auditing are enabled.

• The necessary registry keys are configured on the servers.

• Sufficient retention size is set on the configured servers to prevent overwriting of logged events.

Possible causes

• The server where LDAP activities occur is not configured in ADAudit Plus.

• No communication between the product server and the respective machine (RPC error).

• Required privileges are not assigned to the service account (access denied error).

• An error specific to security packages is encountered.

• Audit policies required for LDAP auditing are missing.

• Required registry keys are not enabled on the configured servers.

• Insufficient retention size on the configured servers, leading to overwriting of logged events.

• Files stuck under <Installation Directory>/ADAudit Plus/event data/raw or <>/processed.

Resolution

Step 1. Ensuring all machines that caries out LDAP are configured in ADAudit Plus  

• Log in to ADAudit Plus web console.

• Navigate to Domain Settings and confirm that all Domain Controllers (DCs) where LDAP activities occur are properly configured.

• Since the LDAP can also be enabled on a server, go to the Server Audit tab, then Member Server and ensure that any servers hosting LDAP activities are also configured.

Step 2. Ensuring communication from product server to respective machine  

• Follow the official documentation to open the necessary ports and firewall rules.

Step 3. Assigning required privileges to the service account  

1. Log in to the Domain Controller or a machine where Active Directory Users and Computers (ADUC) is accessible.

2. Click on the Builtin container, right-click Event Log Readers group, then select the Members tab.

3. Click Add to addthe configured service account (used under Domain Settings in ADAudit Plus) to this group.

 Step 4. A security package specific error occurred
 
This is a native error due to conflicting IPs or multiple machines having the same SPN.

Ensure that the corresponding domain controller has forward and reverse lookup entries in DNS.

 Step 5. Ensuring required audit policies are enabled 

1. Log in to a system with Group Policy Management Console (GPMC) access using Domain Admin credentials.

2. Open GPMC (gpmc.msc).

3. Navigate to
   Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policy

4. Locate and enable the following policy:

• Audit directory service changes and Audit directory service access under the DS Access category.

5. Set the policies to Success.

6. To verify applied policies, run the following command:

auditpol /get /category*

Note: This command will display the resultant set of audit policies configured on the machine. Verify whether the configured policy has been applied.

 Step 6. Configuring required registry settings 

• Open Registry Editor on the configured LDAP server.

• Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics

• Locate the following registry entries and set their values to 5:

• Field Engineering

• LDAP Interface Events

 Step 7. Validating LDAP audit events in Event Viewer 

• Open Event Viewer on the LDAP server.

• Navigate to Directory Service under Application and Service Logs.

• Confirm the following event IDs are logged:

Note: If the above events are missing, then the report will not populate. To address this issue, refer to the registry step above.

Step 8. Configuring event log settings  

To prevent audit data loss due to event overwrites, define event log size and retention settings

1. Open GPMC.

2. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Event Log

Configure the Maximum Application log size to be defined as at least 2GB.

Note: Ensure that the security event log holds a minimum of 12 hours of data.

  Step 9. Handling stuck event data files    

If files are stuck under <Installation_Directory>/ADAudit Plus/event data/raw or <>/processed, contact ManageEngine Support for further assistance.

Related topics and articles

• No data available in LAPS reports.

How to contact   support