DC Logs are partially getting ingested to secops

Uppin · 05-28-2025 05:54 AM

We are partially receiving the logs from Domain controllers.

The setup we have is more than 20 AD servers including domain controller. These logs are getting forwarded to Bindplane WEC server from WEC to Chronicle (Secops). The setup is agentless.

As observed few event logs like 4725 , 4726 and 4720 etc are not getting ingested to WEC server as we checked in the event viewer(Forwarded Events section) of WEC server (Bindplane).

Anyone faced the same issue.

Craig_Lee_BP

I've not personally seen that issue. Its only a certain category of log? Can you email support@bindplane.com and open a ticket?

Eoved

Hi,
From my experience, I believe the issue you described is not related to BindPlane or SecOps.
A single WEC server typically doesn't have the capacity to collect logs from 20 AD servers — that’s a significant volume of data.

You can confirm this assumption by simulating an event from an AD server and checking whether it appears in the local server’s Event Logs, specifically under the Forwarded Events section on the WEC server.
If the event does not appear there, it indicates that the issue lies in the log forwarding process between your Windows servers — and therefore, the event will not be ingested into BindPlane.

I highly recommend reviewing this stage before checking log ingestion at the BindPlane or SecOps level.

I usually resolve this issue for clients by following these steps:

1.In the WEC configuration, change the log collection method to source-initiated instead of collector-initiated.

2. Deploy additional WEC servers and distribute the load between them (this can be controlled via Windows GPO).
If the two previous steps are not an option, consider installing an agent on each server.

The Google Cloud Security Community is upgrading platforms!

Read more and check out our FAQ.

DC Logs are partially getting ingested to secops