Browse documentation
Setting up AD auditing
↩ AD Audit
AD Audit reads the Security event log from your domain controllers and turns the raw events into structured, searchable records. This article covers getting it collecting.
Before you start
- Enable the AD Audit module (Settings → Modules). It's off by default.
- The domain controller must already exist in JOATOS as a server with a WMI / WinRM credential assigned — that's how the collector reads its Security log.
Adding a domain controller
- Open AD Audit in the sidebar (titled Active Directory Audit, with a Pilot badge).
- In Audited Domain Controllers, select Add DC.
- Choose the server (its domain-controller role), optionally enter the AD domain (e.g. corp.example.com), and pick which categories to collect:
- Account changes (on)
- Group changes (on)
- Computer accounts (on)
- Directory object changes (on)
- Failed logons + lockouts (on)
- Successful logons (off — high volume)
- Select Add.
If the chosen server has no WMI/WinRM credential, JOATOS warns you — the collector can't read the Security log until one is set.
Once added, the DC appears in the list with its categories, an enabled/paused toggle, and its last-scan time. The collector then polls its Security log and events begin to appear.
Keeping volume in check
AD security logs can be noisy. AD Audit applies a daily ingest cap and shows counters for events ingested today and any dropped when the cap is hit. If you're dropping events, narrow the categories on the noisiest DCs — for example, leave Successful logons off unless you specifically need them.
Stopping collection
Use the toggle to pause a DC, or remove it entirely. Removing a DC keeps the events already collected — it only stops new collection.
Notes & tips
- Start with the default categories; add Successful logons only when you have a specific need, as it's high-volume.
- This is a Pilot feature — retention windows and the ingest cap are tunable while it settles in.