Chat now with support
Chat mit Support

Change Auditor 7.2 - User Guide

Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Disable Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags

Search Results page

A new results page is created whenever a search is run. When a search is run, this page displays detailed information about the events found as a result of the search. This page consists of the following panes:

Search Results grid

The Search Results grid displays the events captured as a result of running a search from the Searches page. The top area of the grid displays the following information:

Use the Refresh button to redisplay the latest information.
When a large number of records are being captured for display, the Refresh button will become a Cancel button allowing you to cancel the search.

By default, the grid contains the following information about the events returned when a search is run. (You can specify the columns, sort order and grouping for a search, as well as the display format by using the Layout search properties tab.)

Action

Displays what change was made to the object.

AD Failure Reason

Displays the reason for the Active Directory failed event.

AD Failure Status Code

Displays the failure code for the Active Directory failed event.

Coordinator ID

The coordinator that processed the event.

Domain

Displays the name of the domain to which the agented server belongs.

Event

Displays the type of change that occurred.

Facility

Defines the event class facility to which the change event belongs.

Result

Indicates whether the operation mentioned in the event was successfully completed. Valid states are:

Server

Displays the name of the server where the change occurred.

Severity

Displays the severity assigned to a configuration change event:

Site

Displays the name of the site where the agented server resides.

Subsystem

Defines the subsystem, or area of auditing, where the change event occurred.

Time Detected

Displays the date and time when the agent captured the event.

User

Displays the name of the user who initiated the change.

Search Properties tabs

From a Search Results page, use the Search Properties tool bar button to display the Search Properties tabs across the bottom of the screen. This view consists of tabbed pages defining the criteria or properties which make up the selected search.

For a detailed description of the Info, Who, What, Where, Origin and Layout tabs and how to use them to create a custom search, refer to Custom Searches and Search Properties. For more information about the Alert tab, see Enable Alert Notifications and the Report tab, see Generate and Schedule Reports.

Event Details pane

Use the Event Details button on a Search Results page, Overview page, or Alert History page to display the Event Details pane. You can also double-click an event in the search results grid to display the Event Details pane for the selected event.

The following details about the selected event selected are available:

Severity

The severity level assigned to the search is displayed in the upper left-hand corner.

Who

This field specifies the name of the user who initiated the change. If available, the display name of the user account is also displayed in parenthesis.

When

This field specifies the date and time when the change occurred.

Where

This field displays the name of the server where the change occurred.

Source

This field displays the source of the event:

NOTE: If the Source field displays ‘ActiveRoles’ (instead of ‘ActiveRoles Server’) you are not using the latest integration scripts. If you want to take advantage of the additional events and initiator account information captured using the new integration scripts, ensure you are running Active Roles 6.9 (or higher) with Change Auditor for Active Directory 6.5 (or higher).

Origin

This field displays the NetBIOS name and IP address of the workstation or server from which the event was generated.

What

Displays a brief description of the change that occurred. There are three basic types of events generated that determine the ‘what’ information that will be displayed:

Depending on the type of event, additional details may be displayed at the bottom of this pane.

Result

Indicates whether the operation mentioned in the event was successfully completed. Valid states are:

Subsystem

The first field defines the subsystem, or area of monitoring, where the change event occurred (for example, Active Directory, Service, or Group Policy).

Action

This field defines the action associated with the selected event.

Facility

This field defines the event class facility to which the change event belongs.

Class

For Active Directory and Exchange events, this field displays the object class that was modified, such as user, group, computer, nTDSConnection, CrossRefContainer.

Attribute

If an attribute has been added, deleted or modified, this field displays the name of the attribute.

Type

For Active Directory events associated with groups, this field displays the type of group that was modified (for example, Global (Security), Domain Local (Security)).

For AD Query events, this field displays the type of query:

Object

For Active Directory and Exchange events, this field displays the name of the object that was modified.

Authentication

Indicates whether the LDAP operation is secured using the SSL (Secure Socket Layer)/ TLS (Transport Layer Security) technology, simple bind authentication, or signed using Kerberos-based encryption.

Port

For Active Directory, AD Query, and Exchange events, this field indicates the port used for authentication.

Scope

For AD Query events, this field displays the scope of coverage:

Results

For AD Query events, this field displays the number of results returned as a result of the query.

Occurrences

For AD Query events, this field displays the number of times the AD query occurred during the specified interval.

Since

For AD Query events, this field displays the date and time when the AD query was first initiated.

Elapsed

For AD Query events, this field displays how long the AD query took to run. Zero (0) indicates that it took less than a millisecond to complete.

Filter

For AD Query events, this text box displays the filter string used in the AD query.

Attributes

For AD Query events, this text box displays the attributes that were queried.

Path

For File System events (including EMC and NetApp), this field displays the full path of the file or folder where the modification occurred.

Process

For File System events, this field is populated with the full path of the application responsible for the file change.

Service

For Service events, this field displays the name of the services that were modified.

Key

For Registry events, this field displays the name of the registry key that was modified.

Value

For Registry events, this field displays the registry value that was modified.

Policy

For Group Policy events, this field displays the name of the group policy that was modified.

Section

For Group Policy events, this field displays what section of the group policy was modified.

Item

For Group Policy events, this field displays the group policy item that was modified.

Account

For Local Account events, this field displays the local account that was modified.

From

This text box lists the old value that was assigned to the object.

To

This text box lists the new value that is now assigned to the object.

Farm

For SharePoint events, this field displays the name of the SharePoint farm to which the modified component belongs.

URL

For SharePoint events, this field displays the name of the SharePoint site to which the modified component belongs.

Target

For SharePoint events, this field displays the URL of the SharePoint item that was modified.

Mailbox

For Office 365 Exchange Online mailbox events, this field displays the account name of the online mailbox where the change occurred.

Folder

For Office 365 Exchange Online mailbox events, this field displays the folder name where the change occurred.

Cmdlet

For Office 365 Exchange Online administration events, this field displays the name of the administrative cmdlet what was run.

Object

For Office 365 Exchange Online administration events, this field displays the name of the object within the administrative cmdlet that was modified.

Logon Start

For Logon Session events, this attribute displays the date and time when the user initially logged onto the computer.

Logon End

For Logon Session events, if applicable this attribute displays the date and time when the user logged out of the computer.

Duration

For Logon Session events, depending on the event this attribute displays how long the user session lasted or how long the user was actually logged onto the computer.

Session Start

For Logon Session events, this attribute displays the date and time when the current user session began.

Session End

For Logon Session events, if applicable this attribute displays the date and time when the current user session ended.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen