{"id":1651,"date":"2022-05-12T20:12:50","date_gmt":"2022-05-13T00:12:50","guid":{"rendered":"https:\/\/enterpriseadmins.org\/blog\/?p=1651"},"modified":"2022-05-12T20:12:50","modified_gmt":"2022-05-13T00:12:50","slug":"uncovering-missing-active-directory-subnets-with-vrealize-log-insight","status":"publish","type":"post","link":"https:\/\/enterpriseadmins.org\/blog\/virtualization\/uncovering-missing-active-directory-subnets-with-vrealize-log-insight\/","title":{"rendered":"Uncovering missing Active Directory subnets with vRealize Log Insight"},"content":{"rendered":"\n

In a recent post (https:\/\/enterpriseadmins.org\/blog\/virtualization\/domain-controllers-and-micro-segmentation\/<\/a>) I described an issue where authentication may not work as desired when Active Directory sites and Services Subnets are not properly defined. There is often a disconnect in large enterprises where network\/subnet creation and active directory aren’t managed by the same folks, so occurrences like the one I described are all too common. I remember many years ago writing a VBScript that parsed a log file to try and find new networks so that we could create subnet definitions. I decided to see what new options existed in this space and was surprised to see that things were mostly unchanged. <\/p>\n\n\n\n

Active Directory authentications from clients without subnets defined are still logged to C:\\WINDOWS\\Debug\\netlogon.log<\/code> all these years later. This file contains entries such as:<\/p>\n\n\n\n

05\/12 21:28:11 [6772] LAB: NO_CLIENT_SITE: EUC-VIEWCS-21 192.168.36.50<\/pre>\n\n\n\n
This suggests that the subnet I use for VDI Management VMs is not mapped to a site in AD Sites and Services through a properly defined subnet.  In this case I know that the network 192.168.36.0\/24 should map to my US-East-IN<\/code> site in Active Directory.  This is an easy fix, but in dynamic environments something similar is going to happen again.  <\/p>\n\n\n\n
The old VBScript would still work to parse this file, and I could run that as a scheduled task, and occasionally look for these types of events.  However, thanks to vRealize Log Insight, I have better ways to deal with log files in my lab these days.  All of the systems deployed in my lab run the Log Insight agent<\/a>, which can be used to pickup this file.  I already have a custom Agent Group<\/a> for my domain controllers, so I can just edit its configuration so that it also picks up the file.  To do this, I browse to Management > Agents > select the group “Domain Controllers” > File Logs > New and create an entry for the path in question:<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
As you can see, we are looking in the C:\\Windows\\Debug\\<\/code> directory, specifically for one file named netlogon.log<\/code>.  After adding this entry I selected ‘Save Agent Group’.  After a couple of minutes I searched Interactive Logs for no_client_site<\/code> and had a few hits.  This works well, but what I really want to see is which clients are showing up without needing to parse through all of these individual rows.  To help with this I can make a custom dashboard based off an extracted field.<\/p>\n\n\n\n
Extracted Field<\/h3>\n\n\n\n
I can see that the data I want is right there at the end of the string, so I can highlight the text and click ‘Extract field’.  This brings up a ‘Manage Fields’ screen in the right navigation.  By default, the wizard knows that I want to extract an IP Address, but it thinks I only want the one that comes after a specific hostname:<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
I can simply change this from EUC\\-VIEWCS\\-21<\/code> to  <\/code> (a single space) and it automatically highlights all the entries, not just this one.  I can name the field and select save.<\/p>\n\n\n\n
Custom Dashboard<\/h3>\n\n\n\n
From the explore logs view, I queried for no_client_site<\/code> I changed the dashboard selections at the top to ‘Count of events’ and grouped by ‘WinDebug_NoClientSite_IP’ which is the name of the extracted field from above.  This resulted in a bar graph by the authenticating client where I could easily see the handful of interesting clients.<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
In the top right of this visual is an ‘Add to Dashboard’ button.  I used that button to add this newly created chart to a ‘Active Directory – Custom’ dashboard that I have started.<\/p>\n\n\n\n
I now have a visual that will show me the clients that are in subnets not mapped to an Active Directory site.  Once I research these subnets and get them properly defined this query should return no results — until the next time a network is created.<\/p>\n","protected":false},"excerpt":{"rendered":"
In a recent post (https:\/\/enterpriseadmins.org\/blog\/virtualization\/domain-controllers-and-micro-segmentation\/) I described an issue where authentication may not work as desired when Active Directory sites and Services Subnets are not properly defined. There is often a disconnect in large enterprises where network\/subnet creation and active … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":6,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[9,4],"tags":[],"class_list":["post-1651","post","type-post","status-publish","format-standard","hentry","category-lab-infrastructure","category-virtualization"],"_links":{"self":[{"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/posts\/1651","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/comments?post=1651"}],"version-history":[{"count":2,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/posts\/1651\/revisions"}],"predecessor-version":[{"id":1656,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/posts\/1651\/revisions\/1656"}],"wp:attachment":[{"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/media?parent=1651"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/categories?post=1651"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/tags?post=1651"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}