Skip to main content

Active Directory JSON - OpenTelemetry Collector

Thumbnail icon Thumbnail icon

The Active Directory JSON app helps you monitor your Windows Active Directory deployment by analyzing Active Directory logs in the JSON based event log format. The app includes predefined searches and dashboards that provide user activity into your environment for real-time analysis of overall usage.

We recommend using the Active Directory JSON app in combination with the Windows JSON app. Active Directory logs are sent to Sumo Logic through OpenTelemetry windowseventlogreceiver.

Schematics
info

This app includes built-in monitors. For details on creating custom monitors, refer to the Create monitors for Active Directory app.

Fields creation in Sumo Logic for Active Directory​

Following are the fields which will be created as part of Active Directory App install if not already present.

sumo.datasource - Has fixed value of activeDirectory.

Event logs used by Active Directory app​

This section provides instructions for configuring log collection for Active Directory running on a non-Kubernetes environment for the Sumo Logic app for Active Directory. Tails and parses logs from Windows event log API are collected using the opentelemetry-log-collection library.

Log types​

Standard Windows event channels include:

  • Security
  • System
  • Application

Collection configuration and app installation​

note

You can skip this section if you have already set up the logs collection through Windows PCI, Windows - Cloud Security Monitoring and Analytics, or Windows app installation. Additional collection is not required as the logs used by this app are already ingested into Sumo Logic.

As part of data collection setup and app installation, you can select the App from App Catalog and click on Install App. Follow the steps below.

Step 1: Set up Collector​

note

If you want to use an existing OpenTelemetry Collector, you can skip this step by selecting the Use an existing Collector option.

To create a new Collector:

  1. Select the Add a new Collector option.
  2. Select the platform where you want to install the Sumo Logic OpenTelemetry Collector.

This will generate a command that you can execute in the machine environment you need to monitor. Once executed, it will install the Sumo Logic OpenTelemetry Collector.

Collector

Step 2: Configure Integration​

In this step, we will configure the yaml required for Active Directory Collection.

You can add any custom fields which you want to tag along with the data ingested in Sumo.

Click on the Download YAML File button to get the yaml file.

YAML

Step 3: Send logs to Sumo Logic​

Once you have downloaded the YAML file as described in the previous step, follow the below steps based on your platform.

  1. Copy the yaml at C:\ProgramData\Sumo Logic\OpenTelemetry Collector\config\conf.d folder in the machine which needs to be monitored.
  2. Restart the collector using the command Restart-Service -Name.

After successfully executing the above command, Sumo Logic will start receiving data from your host machine.

Click Next. This will install the app (dashboards and monitors) to your Sumo Logic Org.

Dashboard panels will start to fill automatically. It's important to note that each panel fills with data matching the time range query and received since the panel was created. Results won't immediately be available, but within 20 minutes, you'll see full graphs and maps.

Sample log messages​

{
record_id:"121139",
channel:"Security",
event_data:"S-1-0-0
-
-
0x0
S-1-0-0
TS

0xc000006d
%%2313
0xc0000064
3
NtLmSsp
NTLM
-
-
-
0
0x0
-
9.204.254.156\
0",
task:"Logon",
provider:"{\"event_source\":\"\",\"name\":\"Microsoft-Windows-Security-Auditing\",\"guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"}",
system_time:"2023-01-16T08:53:57+0000664Z",
computer:"EC2AMAZ-T30T53R",
opcode:"Info",
keywords:"Audit Failure",
details:"{\"Account For Which Logon Failed\":\"\",\"Network Information\":\"\",\"Failure Information\":\"\",\"Detailed Authentication Information\":\"\",\"Subject\":\"\",\"Process Information\":\"\",\"Logon Type\":\"3\",\"Additional Context\":\"\"}",
message:"An account failed to log on.",
event_id:"{\"qualifiers\":\"0\",\"id\":\"4625\"}",
level:"Information"
}

Sample queries​

This sample Query is from the Active Directory - Active Directory Service Activity > Top 10 Messages panel.

%"sumo.datasource"=activeDirectory
| json "event_id", "computer", "message" as event_id, host, msg_summary nodrop
| parse regex field=msg_summary "(?<msg_summary>.*\.*)" nodrop
| where host matches "*"
| count by msg_summary
| top 10 msg_summary by _count

Viewing Active Directory dashboards​

Active Directory Service Activity​

The Active Directory Service Activity dashboard provides insights into overall active directory services like Category overtime, object creation, top 10 messages.

Service Activity

Active Directory Service Failures​

The Active Directory Service Failures dashboard provides an at-a-glance view of success, failures, and audit failures overtime.

Service Failures

Create monitors for Active Directory app​

From your App Catalog:

  1. From the Sumo Logic navigation, select App Catalog.
  2. In the Search Apps field, search for and then select your app.
  3. Make sure the app is installed.
  4. Navigate to What's Included tab and scroll down to the Monitors section.
  5. Click Create next to the pre-configured monitors. In the create monitors window, adjust the trigger conditions and notifications settings based on your requirements.
  6. Scroll down to Monitor Details.
  7. Under Location click on New Folder.
    note

    By default, monitor will be saved in the root folder. So to make the maintenance easier, create a new folder in the location of your choice.

  8. Enter Folder Name. Folder Description is optional.
    tip

    Using app version in the folder name will be helpful to determine the versioning for future updates.

  9. Click Create. Once the folder is created, click on Save.

Active Directory alerts​

NameDescriptionAlert ConditionRecover Condition
Active Directory - Account Lockouts SpikeThis alert is triggered when there are multiple account lockouts in a short time period, indicating potential brute force attempts.Count >= 5Count < 5
Active Directory - Directory Service FailuresThis alert is triggered when there are critical Directory Service failures that could impact AD functionality.Count >= 3Count < 3
Active Directory - Mass User Account DeletionsThis alert triggers when multiple user accounts are deleted in a short time period, which could indicate malicious activity.Count > 5Count <= 5
Active Directory - NTLM Authentication FailuresThis alert is triggered when there are multiple NTLM authentication failures, which could indicate credential theft attempts.Count >= 5Count < 5
Active Directory - Replication FailuresThis alert triggers when AD replication failures occur, which can impact directory synchronization.Count > 0Count <= 0
Active Directory - Schema ModificationsThis alert is triggered when changes are made to the AD schema, which are rare and potentially high-impact changes.Count > 0Count <= 0
Status
Legal
Privacy Statement
Terms of Use

Copyright © 2025 by Sumo Logic, Inc.