Chatee ahora con Soporte
Chat con el soporte

Change Auditor 7.3 - User Guide

Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Disable Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags

Administration Task lists

The following table lists the navigation pane’s task lists and a description of the administrative tasks that you can perform. Many of the tasks listed require a specific license, which is indicated by the following codes in the last column of the table:

To hide unlicensed Change Auditor features from the Administration Tasks tab (including unavailable audit events throughout the client), use Action | Hide Unlicensed Components.

Configuration: The following tasks are available in the Configuration task list:

Agent

Define and assign agent configurations.

For more information, see Agent Configurations.

Any

Coordinator

Enable email alert notifications/reports, configure mail server to be used for SMTP alerting/reporting, configure the ability to send reports to a shared folder, define group membership expansion, modify agent heartbeat check interval, and select which coordinators will process scheduled reports, purge, and archive jobs.

For more information, see Coordinator Configuration.

Any

Purge and Archive Jobs

Define and schedule purge jobs for deleting events from the production database.

Define and schedule archive jobs to create a yearly archive database for older events that are no longer required to be represented in your reports.

For more information, see Purging and Archiving your Change Auditor Database.

Any

Private Alerts and Reports

View and manage all private search queries where alerting and/or reporting has been enabled.

For more information, see Disable Private Alerts and Reports.

Any

SQL Reporting Services

Define SQL Reporting Services (SRS) templates that define all the necessary Report Server information (URL and credentials) and Change Auditor data source information for publishing reports. These templates can then be made available to users who choose to publish Change Auditor reports to SRS.

For more information, see SQL Reporting Services Configuration.

Any

Report Layouts

Define report layout templates which contain the header/footer information to be used in reports.

For more information, see Generate and Schedule Reports.

Any

Application User Interface

Define who is authorized to use the various Change Auditor client features.

In addition, you can define who is authorized to view the Active Directory and Group Policy protection tasks in Change Auditor.

For more information, see Change Auditor User Interface Authorization.

Any

Client Authentication

Specify the authentication method that all clients will use to access Change Auditor. There are two methods available - Windows Forms or Active Directory Client Certificate authentication.

For more information, see Client Authentication.

Any

Event Subscriptions

Configure and manage a Splunk integration. You can add, edit, delete, and view event subscriptions. For more information see the Change Auditor SIEM Integration Guide.

Any

Auditing: The Auditing task list is divided into separate lists that identify configuration tasks, forest-level tasks that are globally applied, tasks that define auditing for different applications, server-level tasks that must be assigned to an agent configuration, and tasks that define NAS device auditing.
Configuration: Use the tasks under this heading to configure the audit events to be captured by Change Auditor and to define accounts that are to be included and excluded from auditing.

Audit Events

Enable/disable event auditing and modify an event’s severity level or description.

For more information, see Enable/Disable Event Auditing.

Any

Excluded Accounts

Create Excluded Accounts templates to define individual accounts that are to be excluded from Change Auditor auditing.

For more information, see Account Exclusion.

Any

Forest: Use the tasks under this heading to define custom auditing definitions for your Active Directory forest.

Active Directory

Define custom Active Directory object class auditing.

For more information, see the Quest Change Auditor For Active Directory User Guide.

CAAD

Define custom Active Directory attribute auditing.

For more information, see the Quest Change Auditor for Active Directory User Guide.

CAAD

Define a Member of Group auditing list to specify the users to be audited based on their group membership.

For more information, see the Quest Change Auditor for Active Directory User Guide.

CAAD

Define the Active Directory containers that are to be included and excluded from AD query auditing.

For more information, see the Quest Change Auditor for Active Directory Queries User Guide.

CAAD-Q

Active Directory Federation Services

Define Active Directory Federation Services auditing.

For more information, see the Quest Change Auditor For Active Directory User Guide.

CALA

Active Directory Database

Define the Active Directory database auditing.

For more information, see the Quest Change Auditor For Active Directory User Guide.

CAAD

ADAM (AD LDS)

Define custom ADAM (AD LDS) object auditing.

For more information, see the Quest Change Auditor for Active Directory User Guide.

CAAD

Define custom ADAM (AD LDS) attribute auditing.

For more information, see the Quest Change Auditor for Active Directory User Guide.

CAAD

Applications: Use the tasks under this heading to define auditing for different types of applications within your environment.

Exchange Mailbox

Define an Exchange Mailbox auditing list to specify which directory object’s mailbox activities are to be audited by Change Auditor for Exchange.

For more information, see the Quest Change Auditor for Exchange User Guide.

CAEX

Office 365

Specify the Office 365 service and Exchange Online mailboxes that are to be audited by Change Auditor for Exchange and Change Auditor for SharePoint.

For more information, see the Office 365 and Azure Active Directory Auditing User Guide.

CAEX

CASP

SQL

Create SQL Auditing templates to define the SQL instances and operations that are to be audited.

Create SQL Data Level Auditing templates to define the operations that are to be audited.

For more information, see the Quest Change Auditor for SQL Server User Guide.

CASQL

SharePoint

Create SharePoint Auditing templates to define the SharePoint farm to be audited and the Change Auditor agent to be used to audit this farm.

For more information, see the Quest Change Auditor for SharePoint User Guide.

CASP

Server: Use the tasks under this heading to create auditing templates that can then be assigned to agent configurations to enable custom server-level auditing.

File System

Create File System Auditing templates to define the files/folders that are to be audited.

For more information, see the Quest Change Auditor for Windows File Servers User Guide.

CAFS

Registry

Create Registry Auditing templates to define the registry keys and events that are to be audited.

For more information, see Registry Auditing.

Any

Services

Create Service Auditing templates to specify the system services that are to be audited.

For more information, see Service Auditing.

Any

NAS: Use the tasks under this heading to create auditing templates for NAS devices. For more information, see the Quest Change Auditor for NetApp User Guide, Quest Change Auditor for EMC User Guide, Quest Change Auditor for Fluid File System User Guide.

EMC

Create a separate EMC Auditing template for each CIFS file access protocol to be audited by Change Auditor, defining the EMC file server (CIFS), auditing scope and Change Auditor agents that are to receive the EMC audit events.

CAEMC

NetApp

Create a separate NetApp Auditing template for each NetApp filer to be audited by Change Auditor, defining the location of the NetApp filer, the auditing scope, and the Change Auditor agents that are to receive the NetApp filer audit events.

CANA

FluidFS

Create a separate FluidFS Auditing template for each file server to be audited by Change Auditor, defining the cluster, the auditing scope, and the Change Auditor agents that are to receive the audit events.

CAFFS

Protection: The Protection task list is divided into separate task lists as well: one for forest-level tasks that are globally applied, one for tasks that define protection for applications, and another for server-level tasks that must be assigned to an agent configuration. To use Active Directory Protection templates, you must be logged in to Change Auditor with an account with Enterprise Admin privileges.
Forest: Use the tasks under this heading to define global protection definitions for your Active Directory forest. For more information, see the Quest Change Auditor for Active Directory User Guide.

Active Directory

Create Active Directory Protection templates to define critical Active Directory objects that are to be protected against unauthorized modifications.

CAAD

ADAM (AD LDS)

Create ADAM (AD LDS) Protection templates to define critical ADAM objects that are to be protected against unauthorized modifications.

CAAD

Group Policy

Create Group Policy Protection templates to define critical Group Policy objects that are to be protected against unauthorized modifications.

CAAD

Active Directory Database

Create Active Directory Database Protection templates to prevent copying and other tampering attempts on the Active Directory database (NTDS.dit) file. Extraction of this file could lead to parsing of usernames and passwords resulting in a security breach.

CAAD

Applications: Use the task under this heading to define global protection for your Exchange Mailbox application. For more information, see the Quest Change Auditor for Exchange User Guide.

Exchange Mailbox

Create Exchange Mailbox Protection templates to define critical Exchange Mailboxes that are to be protected against unauthorized modifications.

CAEX

Use the task under this heading to create protection templates that can then be assigned to agent configurations to enable server-level protection. For more information, see the Quest Change Auditor for Windows File Servers User Guide.

File System

Create File System Protection templates to define critical files/folders that are to be protected against unauthorized modifications.

CAFS

Export/import Administration Task settings

Using the Export and Import commands on the Action menu, you can export/ import the settings defined on the various Administration Tasks tabs. Selecting one of these commands allows you to select the configuration, auditing and protection settings to be exported/imported.

Select to export all agent configurations including the settings and auditing and protection template assignments.

When selected, the auditing and protection templates that must be assigned to agent configurations are selected by default, and cannot be cleared.

Select to export the coordinator configuration settings.

This option is not selected by default.

Select to export Change Auditor client feature authorizations.

This option is not selected by default.

Select to export any Report Layout templates.

Select to export any scheduled purge jobs.

Select to export the audit event settings, such as enabled/disabled events, event severity and descriptions.

Select to export any Excluded Accounts templates.

NOTE: When the Agent option is selected in the Configuration section of this dialog, this option is also selected and cannot be cleared. This is because this type of template must be assigned to an agent configuration in order to work properly.

Select to export any custom Active Directory auditing definitions.

Select to export any custom Active Directory attribute auditing definitions.

Select to export the contents of the Member of Group list.

Select to export the contents of the AD Query list.

Select to export any ADAM (AD LDS) auditing definitions.

Select to export any ADAM (AD LDS) attribute auditing definitions.

Select to export the Office 365 Exchange Online mailbox auditing list.

Select to export the Exchange mailbox auditing list.

Select to export any SQL auditing templates.

NOTE: When the Agent option is selected in the Configuration section of this dialog, this option is also selected and cannot be cleared. This is because this type of template must be assigned to an agent configuration in order to work properly.

Select to export any SharePoint auditing templates.

Select to export any File System auditing templates.

NOTE: When the Agent option is selected in the Configuration section of this dialog, this option is also selected and cannot be cleared. This is because this type of template must be assigned to an agent configuration in order to work properly.

Select to export any Registry auditing templates.

NOTE: When the Agent option is selected in the Configuration section of this dialog, this option is also selected and cannot be cleared. This is because this type of template must be assigned to an agent configuration in order to work properly.

Select to export any Service auditing templates.

NOTE: When the Agent option is selected in the Configuration section of this dialog, this option is also selected and cannot be cleared. This is because this type of template must be assigned to an agent configuration in order to work properly.

Select to export any EMC auditing templates.

Select to export any NetApp auditing templates.

Select to export any FluidFS auditing templates.

Select to export any Active Directory protection templates.

Select to export any ADAM (AD LDS) protection templates.

Select to export any Group Policy protection templates.

Select to export any Exchange Mailbox protection templates.

Select to export any File System protection templates.

NOTE: When the Agent option is selected in the Configuration section of this dialog, this option is also selected and cannot be cleared. This is because this type of template must be assigned to an agent configuration in order to work properly.
3
Click OK to export the selected settings into an XML file.
4
On the Save Configuration dialog, select the location where the XML file is to be saved. By default, the name of the file is Change Auditor Configuration; however, you can change this in the File name field. Click Save.
NOTE: A similar dialog appears when you use the Action | Import menu command. From this dialog, you can then select the configuration, auditing and protection settings to be imported.

Agent Configurations

Introduction

Change Auditor assigns the default configuration to each agent, including both server agents and workstation agents, during deployment.

The default configuration consists of the following settings:

You can define and assign different agent configurations to each deployed server agent from the Agent Configuration page on the Administration Tasks tab. However, workstation agents always use the default configuration; they cannot be assigned to a different agent configuration.

When the default configuration is modified, workstation agents will only receive these modifications when the polling interval determines there has been a change; clicking Refresh Configuration on the Agent Configuration page only pushes agent configuration changes out to server agents.

To enable custom auditing and protection, you must assign templates to an agent’s configuration. The custom auditing and protection features that require custom templates to be assigned to an agent’s configuration are:

NOTE: The NetApp, EMC, SharePoint, and Office 365 auditing templates define which agents are used to capture events; however, these templates do not use the agent configurations from the Agent Configuration page as described in this section. See the Quest Change Auditor for NetApp User Guide, Quest Change Auditor for EMC User Guide, Quest Change Auditor for SharePoint User Guide, Office 365 and Azure Active Directory Auditing User Guide.

 

Documentos relacionados

The document was helpful.

Seleccionar calificación

I easily found the information I needed.

Seleccionar calificación