How would I go about using a Rule in LEM to audit all account actions (creation, modification, enabling, disabling, removal)? I have a rule set up to use certain logs (e.g. UserModifyAttribute.ProviderSID = Microsoft-Windows-Security-Auditing 4720), but when I test it by creating a new user in AD, nothing appears. I tried adding a GPO with all the settings advised in the SolarWinds KB Configure LEM Audit Policy Information, but still no logs coming in after new user is created.
↧