I have my Windows domain controllers set up in MARS and have verified logs are being pulled. I'm unclear as to what MARS can do for me if I'm looking to run a query on a particular active directory user. Is MARS polling for just failed logons or all logon events? How would I go about querying for all logon events (success/fail) for a particular user (if that's possible)?
I've never used the pull method, but based on the user guide it should pull events from the security, application, and system event logs.
If you don't know what event types you're after and you're in a smaller shop, probably the easiest way to see all events for a particular user is to select their userid in the "reported user" column of the query. You can use the default query type of "event types ranked by sessions". You can then click on the event type you're interesting in to begin drilling down.
Can you give me just a little more guidance? I run the query, get the results, but am not sure how to go about choosing which report, etc. I would just like a single report for a user that lists all activity within the query time range. Is that possible out of the box or do I have to create some sort of custom report?
I don't think it will be as functional as you'd like it to be, but I would recommend using a keyword for that. The reason being that a user will typically have multiple MARS username entries because of differences between systems (some have domain context, some don't, etc).
Use the default result format "event types ranked by sessions". enter the username in the keyword column. enter your date range. press enter. Is that close to what you're looking for?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...