Extremely new here , so forgive me, and I'm also trying to improve an existing production system. We have an Active Directory infrustructure and we have three critical services where we actually authenticate to the applicable 3rd party, and in turn they access our network through the F5 to authenticate to one of our three load balanced domain controllers. initially, we thought it would just be a matter of turning on our Active Directory Audit policies and dump the logs to our graylog server and we'd be able to monitor success and failure security logs.
This has proven to be insufficient because you can't really get good authentication information from AD Domain controllers directly about specific server logins because that type of audit is best performed at the server level receiving the login requests. The other problem is these 3rd party servers are possesed by the 3rd partys. We had a theory that since the 3rd party servers use a url that points to the F5, we should be able to get the type of security logs we want from the virtual server that passes off the request to the DC's.
What we like to know is how do we configure this virtual server to first create its security logs and then to dump them to our greylog server.