does logs of domain controllers replicate between them?

Question

Hi,
I'm trying to centralize the logs of our two ADs, with nxlog, in a Graylog server.

I noticed that some logs were duplicate, identical (same date, same message, same users, etc.) apart from the source. (for example, i got twice a security log about a failed logon from a user, from AD1 and AD2, with the same Timestamp)

do all logs replicate, or only some, like "security" one?
What should i send to graylog to monitoring our domain?

PS: sry for bad english, it is not my natural language...

Answer 1

Hello @Clement ,

Thank you for posting here.

By default, logs between DCs are not replicated to each other.

At the first glance it seems the timestamp "2021-02-26 13:11:42.000 +00:00" is the time that the messages display.

Or the timestamp "2021-02-26 13:11:42.000 +00:00" is the time that the message reported from AD1 to nxlog on Graylog server (and the same time that the message reported from AD2 to nxlog on Graylog server).

For whether the actual timestamp is the same or not, we can check on both on AD1 and AD2.

Should you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

Answer 2

Hi,

Logs are not replicated (by default).

Maybe you client on failed authentication tried to authenticate to another DC. That is why you see it "duplicated" altough it is actually not.

Send logs from all DCs to your Graylog.

Answer 3

there shouldn't be a time lag between the two attempts?

Answer 4

Hi,
after a few test, i conclude that logs were not replicated, it seems that client tried to logon on both DC at the same time, i think..

Thank you all for your help ^^

Answer 5

Is there any option to enable Log replication ?