Chat now with support
Chat mit Support

Change Auditor 7.1.1 - User Guide

Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Disable Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags

Create and maintain jobs

In addition to viewing the details about previously defined jobs, use the Purge and Archive page to define and schedule new jobs, and edit, disable/enable or delete existing jobs.

Before scheduling a job, ensure that you have reviewed the best practice information in Planning your jobs.

1
Open the Administration Tasks tab and select Configuration | Purge and Archive.
2
Click Add to open the Purge and Archive wizard.
5
If required, select Purge and choose the records to be deleted from the production database.
All events: Select this option to purge all events from the database that are older than the specified time.
Only selected events: Select this option to purge only selected events, based on specific criteria, from the database that are older than the specified time.
See Purge selected records for a description of the criteria options.
6
Select Archive events if you want to create an archive database. A yearly archive database will be created beginning on the first day of the selected month. For example, if you select Jan, the database will contain events for 12 months beginning on January 1.
7
Click Next.
9
Click Finish to save the job and exit the wizard.
2
Click Edit to open the Purge and Archive wizard.
4
Click Finish to save your selections and exit the wizard.

Purge and Archive wizard

The wizard opens when you click Add on the Purge and Archive page under Administration Tasks. Use this wizard to define the records to be purged or archived, and the cleanup schedule.

Before scheduling a job, ensure that you have reviewed the best practice information in Planning your jobs.

Purge events

If you select to purge events, specify the options that determine which events will be removed from the database.

All events: Select this option to purge all events from the database that are older than the specified time.

Only selected events: Select this option to purge only selected events, based on specific criteria, from the database that are older than the specified time.

Use the criteria tabs to define the events to be deleted:

If you specify criteria on more than one tab, the criteria specified on ALL of the tabs must be met before an event is deleted from the database or archived.

See Purge selected records for a description of the criteria tabs and options that appear to specify the records.

Archive events

When this option is selected, a yearly archive database will be created beginning on the first day of the selected month. For example, if you select Jan, the database will contain events for 12 months beginning on January 1.If you have also selected to purge events based on specific criteria, any events that remain will be moved to the archive database.

On initial run of archive or purge/archive job, an archive database will be created on the same database server as your production Change Auditor database.

The name of the archive database is as follows: Production database name appended with _Archive_ and the year of your oldest event and a selected month. Example: ChangeAuditor_Archive_2014 _August

The *.mdf file will have the same name except that the date will be appended to the end. Example: ChangeAuditor_Archive_2014__August20150310163244.mdf

If the archive database is moved or deleted a new archive database with the same name will be created (the *.mdf will differ because a new date is appended) the next time an archive or purge/archive job runs.

 

Occurs

Specifies if the job is to be run on a weekly or monthly schedule.

The default is monthly.

NOTE: When Monthly is selected, specify the monthly schedule to be used to run the job. For example, 1 for every month (default), 2 for every other month, 6 for every six months or twice a year, etc.

Batch Limit

Specifies the maximum number of events to be purged for each cycle.

That is, the job task checks every five minutes to determine if it needs to run a job. When the job runs, by default it purges a maximum of 500,000 events in that five minute period. If there are more than 500,000 events to be purged, then five minutes later another 500,000 events are processed until all of the events are purged or archived.If there are 500,000 events or less in a job, then the job task checks again in the next five minutes and obeys the ‘next run’ time.

Every

When a Monthly schedule is selected, specifies on which day of the month the job is to be run:

When a Weekly schedule is selected, specifies the weekly schedule to be used to run the job. For example, 1 for every week, 2 for every other week, 3 for every third week, and 4 for every fourth week.

On Days

When a Weekly schedule is selected, defines the days of the week when the job is to be run.

The default is Monday through Friday.

Run Time

Defines the time of day when the job is to be performed.

The default start time is 12:00:00 AM.

Last Run

This read-only field specifies the last time (date and time) the job ran.

Next Run

This read-only field specifies the next time (date and time) when the job is scheduled to run.

5
Select Finish.

Purge selected records

Use the criteria tabs in the Purge and Archive wizard to define what specific records are to be deleted from the database. These tabs are enabled when you choose the Purge | Only selected events option.

Use the Who tab when you want to purge or archive events generated by specific users, computers, or groups. By default (when the Who tab is empty), change events generated by all users, computers, and groups will be deleted from the database or archived.

When multiple ‘who’ criteria is specified on this tab, Change Auditor uses the ‘OR’ operator to evaluate change events, purging or archiving events for activity performed by any of the users, computers or groups listed on this tab.

1
From the Purge and Archive wizard, select the Purge option, and then enable Only selected events to activate the criteria tabs.
4
After selecting one or more directory objects, click Select to save your selection and close the dialog.
NOTE: Use Add with Events (instead of Add) to select users, computers, or groups that already have an event associated with it in the database. Use this to purge events tied to users who have been removed from Active Directory.
NOTE: To purge events NOT generated by the users, computers, or groups listed on the Who tab, select the Exclude The Following Selection(s) check box at the top of the Who tab.
1
From the Purge and Archive wizard, select the Purge option, and then enable Only selected events to activate the criteria tabs.
2
Open the Who tab and expand Add and click Add Wildcard Expression.
NOTE: If you used Add With Events instead, click Add Wildcard Expression on the Add Users, Computer, or Groups dialog.
NOTE: When using the Group option, the Group Membership Expansion option on the Coordinator Configuration page (on the Administration Tasks tab) must be set to Expand all groups.
4
Click OK to close the dialog and add the wildcard expression to the Who tab.

Use the What tab to specify the what criteria to be used to determine whether an event is to be purged from the database. By default (when the What tab is empty), all events regardless of the subsystem, event class, object class, severity, or results will be purged or archived.

When multiple ‘what’ criteria is specified on this tab, Change Auditor uses the ‘AND’ operator to evaluate an event, purging only those events that meet all the specified criteria. However, when multiple subsystems (such as Active Directory, ADAM, and Exchange) are specified, Change Auditor uses the ‘OR’ operator to evaluate these entities, purging or archiving events that meet any of the specified subsystem criteria. This also applies when multiple event classes are specified. That is, when multiple event classes are specified, Change Auditor uses the ‘OR’ operator purging or archiving any of the specified events.

1
From the Purge and Archive wizard, select Purge, and then enable Only selected events to activate the criteria tabs.
2
Open the What tab, expand Add (or Add With Events) and select the appropriate option. When you select an option, an additional dialog appears allowing you to enter specific criteria:
Subsystem | Active Directory - Add Active Directory Container dialog
Subsystem | AD Query - Add Active Directory Container dialog
Subsystem | ADAM (AD LDS) - Select the agent that hosts the ADAM/LDS Instance dialog
Subsystem | Exchange - Add Exchange Container dialog
Subsystem | Office 365 - Office 365 dialog
Subsystem | File System - Add File System Path dialog
Subsystem | Group Policy - Add Group Policy Container dialog
Subsystem | Local Account - Add Local Account dialog
Subsystem | Logon Activity - Add Logons dialog
Subsystem | Registry - Add Registry Key dialog
Subsystem | Service - Add Service dialog
Subsystem | SharePoint - Add SharePoint Path dialog
Subsystem | SQL - Add SQL Instance dialog
Subsystem | VMware - Add VMware Host dialog
Event Class - Add Facilities or Event Classes dialog
Object Class - Add Object Classes dialog
Severity - Add Severities dialog
Result - Add Results dialog
3
Once you have selected or entered the specific criteria, click Add to add it to the selection list at the bottom of the dialog.
4
Click OK to save your selection and close the dialog.

Use the Where tab to purge events captured by specific agents, domains, or sites. By default (when the Where tab is empty), events captured by all agents will be purged or archived.

When multiple ‘where’ criteria is added to this tab, Change Auditor uses the ‘OR’ operator to evaluate events, purging or archiving events that were captured by any of the specified agents, domains or sites.

1
From the Purge and Archive wizard, select Purge, and then enable Only selected events to activate the criteria tabs.
Once you have located an agent, domain or site, select it and click Add to add it to the selection list at the bottom of the dialog.
4
Click OK to save your selection and close the dialog.
NOTE: Use Add With Events (instead of Add) to select agents, domains, or sites that already have an event associated with it in the database.
NOTE: To purge or archive events NOT captured by the agents, domains, or sites listed on the Where tab, select the Exclude The Following Selection(s) check box at the top of the Where tab.
1
From the Purge and Archive wizard, select Purge, and then enable Only selected events to activate the criteria tabs.
2
Open the Where tab, expand Add and click Add Wildcard Expression.
NOTE: If you used Add With Events instead, click Add Wildcard Expression on the Add Agents, Domains, Sites dialog.
4
Click OK to close the dialog and add the wildcard expression to the Where tab.
1
On the Where tab, expand Add and select Add Server Types.
3
Click OK to close the dialog and add the server type to the ‘Where’ list.

Use the Origin tab to purge events originating from a specific workstation or server. By default, (when the Origin tab is empty) events will be purged regardless of the workstation or server from which they originated.

When multiple ‘origin’ criteria is specified on this tab, Change Auditor uses the ‘OR’ operator to evaluate events, purging or archiving events originating from any of the specified workstations or servers.

1
From the Purge and Archive wizard, select Purge, and then enable Only selected events to activate the criteria tabs.
4
Click OK to close the dialog and add the wildcard expression to the Origin tab.
NOTE: To purge or archive events not originating from the workstations or servers listed on the Origin tab, select Exclude The Following Selection(s) box at the top of the Origin tab.
1
From the Purge and Archive wizard, select Purge, and then enable Only selected events to activate the criteria tabs.
2
NOTE: Use Add Wildcard Expression to enter a wildcard expression to include workstations/servers from this list based on their NetBIOS name or IP address.
4
Click OK to close the dialog and add the selected workstations to the Origin tab.

 

Disable Private Alerts and Reports

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen