WORKAROUND:
Note 1: This workaround assumes the issue is actively impacting Change Auditor event forwarding to On Demand Audit. This is not a preventative workaround.
Note 2: If this issue is not yet occurring in the environment, the Change Auditor version is 7.1.0 or below and you would like to validate when it will occur, take the following steps on coordinators in your Installation(s):
- Run CertLM.msc command from command prompt on coordinator servers in the Installation
- Expand Personal | Certificates
- Take note of the Expiration Date on the ‘OnDemandAuditCAIntegration’ certificate. After that date, if the coordinator server is involved in an active subscription to forward events to On Demand Audit then event forwarding will be interrupted until the workaround steps below are taken.
If you are currently experiencing this issue:
- Sign-in to On Demand
Note: Take important care at this moment to document the Deployment Region and Organization Name in use
- Navigate to Audit module and then Configuration tab
- Click the ellipses in the top-right corner of the impacted Change Auditor Installation(s) tile(s) and select 'Remove Installation' option
- When prompted with the warning, "Remove Installation. Are you sure you want to remove this Change Auditor installation? This will cause events to stop being forwarded from Change Auditor." click OK
- When prompted with the warning, "Error Removing Installation. We were unable to contact the coordinators associated with this Change Auditor installation. Do you want to remove this installation anyway?" click OK
- On one of the Change Auditor coordinator servers from the impacted Installation in your environment, find PowerShell ISE, right-click on the application and 'run as Administrator'. Copy/paste the following script into the PowerShell editor:
import-module 'C:\Program Files\Quest\ChangeAuditor\Client\ChangeAuditor.PowerShell.dll'
import-module 'C:\Program Files\Quest\ChangeAuditor\Client\ChangeAuditor.PowerShell.Internal.dll'
$connection= Connect-CAClient -InstallationName 'MY_CHANGE_AUDITOR_INSTALLATION_NAME_HERE'-DomainName 'MY_DOMAIN_FQDN_HERE'
Remove-CAODAConfiguration $connection
Note 1: Replace the following parameters with the respective values from your environment:
-InstallationName 'MY_CHANGE_AUDITOR_INSTALLATION_NAME_HERE'
-DomainName 'MY_DOMAIN_FQDN_HERE'
Note 2: The script above assumes Change Auditor client has been installed to the default path. The import-module commands may need to be updated to reflect the Change Auditor client installation path
- Restart the ‘Quest Change Auditor Coordinator’ service on ALL Change Auditor coordinator servers in the impacted Installation
- Open the Change Auditor client, connect to the impacted Installation and navigate to View | Administration | Configuration | On Demand Audit
- Click ‘Sign in and Configure’ button and re-configure the Change Auditor Installation with On Demand Audit. Ensure the previously used Deployment Region and Organization Name are selected
- Event forwarding from Change Auditor will now resume from the last successfully forwarded event time-stamp/position
- Wait 5-10 minutes and confirm Change Auditor Installation shows "Connected and receiving events" status in Audit Configuration tab
Note: Depending on the duration of the interruption and number of events to be forwarded, it may take some time for the event forwarding to catch-up.
STATUS
Resolved in Change Auditor 7.1.1 GA and higher.
Note: The fix for this issue is preventative and addresses the issue moving forward. Upgrade to 7.1.1 alone will not resolve the scenario described above where Change Auditor event forwarding is in failure state due to expired certificate(s).
If the Change Auditor Installation is currently in the problem state described in the Problem Description, first implement the workaround described above and then upgrade to 7.1.1 to prevent re-occurrence of the issue moving forward.