Tchater maintenant avec le support
Tchattez avec un ingénieur du support

Change Auditor 7.3 - User Guide

Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Disable Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags

Right-click commands

The following table lists the commands which are available through right-click functionality. The commands are listed in alphabetical order with a reference to the pages from which they can be accessed.

Add Application Group

Administration Tasks tab:

Add Task Definition

Administration Tasks tab:

Add Role Definition

Administration Tasks tab:

Alert

Enable Transport

Disable Transport

Disable Alert

History

Delete History

Searches page - Search definition (right pane)

NOTE: The History and Delete History options are only displayed when alerting has been enabled for a search.

All Results

Administration Tasks tab:

Assign

Administration Tasks tab:

Assign to Configuration

Administration Tasks tab:

Audit

Exchange Mailbox Auditing page - excluded mailbox

Clear Result

Deployment page - agent

Collapse All

Searches page - folder (left pane)

Comments

Overview page - event (data grid)

Search Results page - event (data grid)

Copy

Administration Tasks tab:

Event Details pane (text boxes)

Overview page - event (data grid)

Search Properties tabs:

Searches Results page - event (data grid)

Searches page:

Credentials

Deployment page - agent

Cut

Administration Tasks tab:

Search Properties tabs:

Searches page:

Delete

Administration Tasks tab:

Search Properties tabs:

Searches page:

Disable

Administration Tasks tab:

Overview page - event (data grid)

Search Results page - event (data grid)

Disable Alert

Private Alerts and Reports page

Disable Report

Private Alerts and Reports page

Edit

Administration Tasks tab:

Email

Overview page - event (data grid)

Search Results page - event (data grid)

Enable

Administration Tasks Tab:

Overview page - event (data grid)

Search Results page - event (data grid)

Event Details

Overview page - event (data grid)

Search Results page - event (data grid)

Exclude

Exchange Mailbox Auditing page - audited mailbox

Expand All

Searches page - folder (left pane)

Export

Searches page:

Hide Properties

Searches page:

Agent Statistics page - agent

High/Medium/Low

Administration Tasks tab:

Import Folder

Searches Page - folder (left pane)

Import Search

Searches Page - folder (left pane)

Install or Upgrade

Deployment page - agent

Knowledge Base

Administration Tasks Tab:

Overview page - event (data grid)

Search Results page - event (data grid)

Logs

Agent Statistics page - agent

Coordinator Statistics page - coordinator

Deployment page - agent

Move

Searches page:

New

Searches Page:

Overviews

Overview page - event (data grid)

Paste

Administration Tasks tab:

Search Properties tabs:

Searches page:

Redo

Administration Tasks tab:

Search Properties tabs:

Refresh Configuration

Administration Tasks tab:

Refresh Status

Deployment page - agent

Rename

Searches page - folder (left pane)

Report

Searches page - search definition (right pane)

Restart Agent

Agent Statistics page - agent

Run

Searches page - Search definition (right pane)

Scope

Exchange Mailbox Auditing page - audited mailbox

Search Properties

Search Results page - event (data grid)

Security

Active Directory Protection page - object

Group Policy Protection page - object

Select All

Administration Tasks tab:

Event Details pane - text boxes

Search Properties tabs:

Set Agent Uninstalled

Agent Statistics page - agent

Set As My Favorite

Searches page - Search definition (right pane)

Set Coordinator Uninstalled

Coordinator Statistics page - coordinator

Show Properties

Searches page

Agent Statistics page -agent

Start Agent

Agent Statistics page - agent

Stop Agent

Agent Statistics page - agent

Success Only

Administration Tasks tab:

Success and Protected Only

Administration Tasks tab:

Success and Failed Only

Administration Tasks tab:

Undo

Administration Tasks tab:

Search Properties tabs:

Uninstall

Deployment page - agent

 

Change Auditor Email Tags

The Alert Body Configuration dialog allows you to edit the plain text and the HTML representation of alert emails. It consists of the following tabbed pages:

Preview - is for previewing a sample of what your customized email will look like.
Main Body - to define the overall content and layout of the alert email body.
Event Details - to define the details to be included for each event included in the alert email.
Signature - to define the signature line to be included.

The text entered in the these tabs is sent when the alert triggers, with the exception of the variable tags (%xxx%). These tags are used to retrieve information from Change Auditor. The following tags are used and should not be modified.

%AD_MANAGEDBY%

The email address for the user assigned to manage the user referenced in an Active Directory user event.

%AD_USERMAIL%

The email address for the user referenced in an Active Directory user event.

%ALERT_COORDINATOR_DOMAIN%

The name of the domain where the coordinator that generated the alert resides.

%ALERT_COORDINATOR_NAME%

The name of the coordinator generating the alert.

%ALERT_NAME%

The name of the alert that fired.

%ALERT_TIME_SENT%

The date and time when the alert fired.

%ALERT_TYPE%

The type of alert: Smart Alert or Alert.

%BATCH_ID%

The batch ID for all alerts grouped into a single smart alert email.

%EVENT_COUNT%

The number of events grouped into a single smart alert email.

%SMART_ALERT%

Indicates whether this is a smart alert email.

%SMART_ALERT_GROUPING%

Indicates whether this is a smart alert email and on a single object.

%SMART_ALERT_OCCURRENCE%

For smart alerts, the occurrence value specified in ‘Send alert when <nn> Events occur within <nn> <interval>’.

%SMART_ALERT_PERIOD%

For smart alerts, the period of time specified in ‘Send alert when <nn> Events occur within <nn> <interval>’.

%SMART_ALERT_PERIOD_UNIT%

For smart alerts, the time interval (minutes, hours or days) specified in ‘Send alert when <nn> Events occur within <nn> <interval>’.

%AAD_ACTIVITYORIGIN%

For Azure Active Directory events, the origin of the activity.

%AAD_ACTIVITYSTATUSREASON%

For Azure Active Directory events, the status reason.

%AAD_ACTIVITYTYPE%

For Azure Active Directory events, the type of activity.

%AAD_CATEGORY%

For Azure Active Directory events, the associated category.

%AAD_CITY%

For Azure Active Directory events, the associated city.

%AAD_COUNTRY%

For Azure Active Directory events, the associated country.

%AAD_ONPREMISESSUBJECT%

For Azure Active Directory events, the associated Active Directory on premises subject.

%AAD_ONPREMISESTARGET%

 

For Azure Active Directory events, the associated Active Directory on premises target.

%AAD_ONPREMISESUSERNAME%

 

For Azure Active Directory events, the associated Active Directory on premises username.

%AAD_STATE%

For Azure Active Directory events, the associated state.

%AAD_SUBJECTDISPLAYNAME%

 

For Azure Active Directory events, the associated subject display name.

%AAD_SUBJECTSYNCTYPE%

 

For Azure Active Directory events, the associated subject synchronization type.

%AAD_TARGETDISPLAYNAME%

For Azure Active Directory events, the target display name.

%AAD_TARGETSYNCTYPE%

For Azure Active Directory events, the target synchronization type.

%AAD_TENANTDEFAULTDOMAIN%

For Azure Active Directory events, the tenant default domain.

%AAD_TENANTDISPLAYNAME%

For Azure Active Directory events, the tenant display name.

%ACTIONNAME%

The action associated with the event (e.g., Modify Attribute).

%AD_SAMACCOUNTNAME%

For Active Directory events, the logon name of the user who initiated the change event.

%AD_FAILURE_REASON%

For Active Directory events, the failure reason for failed events.

%AD_STATUS_CODE%

For Active Directory events, the status code for failed events.

%AD_USERPRINCIPALNAME%

For Active Directory events, the user principal name (UPN) of the user who initiated the change event.

%ADAM_CONFIGURATIONSET%

For ADAM (AD LDS) events, the name of the configuration set that holds the ADAM instance where the change occurred.

%ADAM_INSTANCENAME%

For ADAM (AD LDS) events, the name of the ADAM instance where the change occurred.

%ADAM_INSTANCEPORT%

For ADAM (AD LDS) events, the communications port used by the ADAM instance where the change occurred.

%ADAM_PARTITIONNAME%

For ADAM (AD LDS) events, the name of the directory partition where the change event occurred.

%ALERT_COORDINATOR_DOMAIN%

The name of the domain where the coordinator that generated the alert resides.

%ALERT_COORDINATOR_NAME%

The name of the coordinator generating the alert.

%ALERT_NAME%

The name of the alert that fired.

%ALERT_TIME_SENT%

The date and time when the alert fired.

%ALERT_TYPE%

The type of alert: Smart Alert or Alert.

%ATTRIBUTENAME%

For Active Directory and ADAM (AD LDS) events, the name of the schema attribute that was modified (e.g., displayName).

For File System events, the name of the file or folder attribute that was modified.

%BATCH_ID%

The batch ID assigned to all alerts grouped into a single smart alert email.

%COMMENT%

Any comments for the event which were entered using the Comments feature on the Event Details pane.

%DOMAINCONTROLLER%

Indicates whether the agented server is a domain controller.

%DOMAINDN%

The distinguished name (DN) of the domain to which the agent that generated the alert belongs.

%DOMAINFQDN%

The fully qualified domain name (FQDN) of the domain to which the Change Auditor agent that generated the alert belongs.

%DOMAINNAME%

The name of the domain to which the agent that generated the alert belongs.

%EVENT_COUNT%

The number of events grouped into a smart alert email.

%EVENTCLASSNAME%

The event name.

%EVENTMESSAGE%

The actual event that triggered the alert.

%EVENTSOURCE%

Indicates the application where the change event came from: Change Auditor, Active Roles, or GPOADmin.

%EXCHANGE%

Indicates whether the agented server is an Exchange server.

%FACILITYNAME%

The name of the event class facility to which the event belongs (e.g., Domain Configuration).

%FORESTNAME%

The name of the forest where the agent that captured the event resides.

%FS_ATTRIBUTENAME%

For File System events, the name of the attribute that was modified.

%FS_FILENAME%

For File System events, the name of the file that was modified.

%FS_FILESERVER%

For File System events, the name of the server where the file or folder that was modified resides.

%FS_FILESYSTEMTYPEID%

For File System events, the type of object (File or Folder) that was modified.

%FS_FOLDERPATH%

For File System events, the full path of the file or folder where the modification occurred.

%FS_LOGONID%

For File System events, the logon ID of the user who made the change.

%FS_PRIMARYSID%

For File System events, the SID of the user who made the change.

%FS_PROCESSNAME%

For File System events, the full path of the application responsible for the change.

%FS_SHARENAME%

For File System events, the name of the local share that was modified.

%FS_TRANSACTIONID%

For File System Transaction Status Changed events, the identification number assigned to a transaction.

%FS_TRANSACTIONSTATUS%

For File System Transaction Status Changed events, the current status of the transaction.

%GLOBALCATALOG%

Indicates whether the agented server is a Global Catalog.

%GPO_POLICYCANONICAL%

For Group Policy events, the canonical name (CN) of the group policy that was modified.

%GPO_POLICYITEM%

For Group Policy events, the group policy item that was modified.

%GPO_POLICYNAME%

For Group Policy events, the name of the group policy that was modified.

%GPO_POLICYSECTION%

For Group Policy events, the section of the group policy that was modified.

%INITIATORMAIL%

For events generated by Active Roles or GPOAdmin, the email address of the user that initiated the change event.

%INITIATORSID%

For events generated by Active Roles or GPOAdmin, the SID of the user that initiated the change event.

%INITIATORUSERNAME%

For events generated by Active Roles or GPOADmin, the name of the user that initiated the change event.

%IPADDRESS%

The IP address of the Change Auditor agent that generated the alert.

%LDAP_ATTRIBUTES%

For AD Query events, the attributes that were queried.

%LDAP_ELAPSED%

For AD Query events, how long the AD query took to run.

%LDAP_FILTER%

For AD Query events, the filter string used in the AD query.

%LDAP_OCCURRENCES%

For AD Query events, the number of times the AD query occurred during the specified interval.

%LDAP_RESULTS%

For AD Query events, the number of results returned as a result of the query.

%LDAP_SCOPE%

For AD Query events, the scope of coverage: This object only or This object and all children.

%LDAP_SINCE%

For AD Query events, the date and time when the AD query was first initiated.

%LDAP_TYPE%

For AD Query events, the type of query: LDAP or GC.

%LOGON_DURATION%

For Logon Session events, how long the user session lasted or how long the user was actually logged onto the computer (depends on the event).

%LOGON_END%

For Logon Session events, the date and time when the user logged out of the computer.

%LOGON_SESSIONEND%

For Logon Session events, the date and time when the current user session ended.

%LOGON_SESSIONSTART%

For Logon Session events, the date and time when the current user session began.

%LOGON_START%

For Logon Session events, the date and time when the user initially logged onto the computer.

%LOGON_TYPE%

For Logon Activity events, the type of logon that occurred:

%OBJECTCANONICAL%

For Active Directory and ADAM (AD LDS) events, the canonical name of the object that was modified.

For Group Policy events, the canonical name of the group policy that was modified.

For AD Query events, the LDAP object canonical name of the object that was queried.

%OBJECTCLASS%

For Active Directory and Exchange events, the object class that was modified (e.g., groupPolicyContainer).

For ADAM (AD LDS) events, the object class that was modified (e.g., container, user, group).

For AD Query events, the object class that was queried.

%OBJECTNAME%

For Active Directory and Exchange events, the name of the object that was modified.

For ADAM (AD LDS) events, the distinguished name of the object that was modified.

For Group Policy events, the name of the group policy that was modified.

For AD Query events, the name of the object that was queried.

%ORGANIZATIONALUNIT%

For Active Directory and ADAM (AD LDS) events, the OU associated with the object that was modified.

For Group Policy events, the name of the OU that is linked to the group policy that was modified.

For AD Query events, the name of the OU associated with the LDAP query.

%OSVERSION%

Indicates the operating system version of the machine where the modification occurred.

%REGISTRYKEY%

For Registry events, the name of the registry key that was modified.

%REGISTRYVALUE%

For Registry events, the registry value that was modified.

%RESULTNAME%

Indicates the result of the operation mentioned in the event:

%SAM_PRINCIPALNAME%

The logon name of the local account that initiated the change event.

%SAM_PRINCIPALTYPE%

The type of local account that initiated the change event.

%SERVERDN%

The distinguished name (DN) of the agented server that captured the event.

%SERVERFQDN%

The fully qualified domain name (FQDN) of the agented server that captured the event.

%SERVERNAME%

The name of the agented server where the change occurred.

%SERVEROU%

The name of the organizational unit where the agented server resides.

%SERVICE_DISPLAYNAME%

For Service events, the display name of the service that was modified.

%SERVICE_NAME%

For Service events, the name of the service that was modified.

%SEVERITYNAME%

The severity assigned to the change event: High, Medium or Low.

%SHAREPOINT_FARMNAME%

For SharePoint events, the name of the SharePoint farm where the modification occurred.

%SHAREPOINT_ITEMNAME%

For SharePoint events, the name of the SharePoint item (e.g. document, folder, list item) that was modified.

%SHAREPOINT_ITEMURL%

For SharePoint events, the URL of the SharePoint item that was modified.

%SHAREPOINT_LISTNAME%

For SharePoint events, the name of the SharePoint list that was modified.

%SHAREPOINT_LISTPATH%

For SharePoint events, the full path of the SharePoint list where the modification occurred.

%SHAREPOINT_WEBNAME%

For SharePoint events, the name of the web site where the modification occurred.

%SHAREPOINT_WEBURL%

For SharePoint events, the URL of the web site where the modification occurred.

%SIGNSEAL%

For Active Directory and AD Query events, indicates whether the LDAP operation or LDAP query is signed using Kerberos-based encryption.

%SITEDN%

The distinguished name (DN) of the site where the agented server resides.

%SITENAME%

The name of the site where the agented server resides.

%SMART_ALERT%

Indicates whether this is a smart alert email.

%SMART_ALERT_GROUPING%

Indicates whether this is a smart alert email and on a single object.

%SMART_ALERT_OCCURRENCE%

For smart alerts, the occurrence value specified in ‘Send alert when <nn> Events occur within <nn> <interval>’.

%SMART_ALERT_PERIOD%

For smart alerts, the period of time specified in ‘Send alert when <nn> Events occur within <nn> <interval>’.

%SMART_ALERT_PERIOD_UNIT%

For smart alerts, the time interval (minutes, hours or days) specified in ‘Send alert when <nn> Events occur within <nn> <interval>’.

%SQL_APPLICATIONNAME%

For SQL events, the name of the client application that initiated the change event.

%SQL_CLIENTPROCESSID%

For SQL events, the identification number associated with the client process that initiated the change event.

%SQL_DATABASEID%

For SQL events, the identification number associated with the SQL database used by the process that initiated the change event.

%SQL_DATABASENAME%

For SQL events, the name of the SQL database used by the process that initiated the change event.

%SQL_EVENTCLASS%

For SQL events, the SQL Server operation (event class) that was performed.

%SQL_EVENTSUBCLASS%

For SQL events, the type of event subclass that was performed.

%SQL_HOSTNAME%

For SQL events, the name of the client workstation that initiated the session.

%SQL_INSTANCENAME%

For SQL events, the name of the SQL instance where the change event occurred.

%SQL_ISSYSTEM%

For SQL events, indicates whether a system session initiated the change.

%SQL_LINKEDSERVERNAME%

For SQL events, the name of the linked server.

%SQL_OBJECTID%

For SQL events, the object identifier associated with the SQL object that was changed.

%SQL_OBJECTID2%

For SQL events, the object identifier of related objects or entities, if available.

%SQL_OBJECTNAME%

For SQL events, the name of the SQL Server object that was changed.

%SQL_OBJECTTYPE%

For SQL events, the type of SQL Server object that was changed.

%SQL_OWNERID%

For SQL lock events, the type of object that owns a lock.

%SQL_OWNERNAME%

For SQL events, the database user name of the object owner.

%SQL_PARENTNAME%

For SQL events, the name of the schema in which the object that changed resides.

%SQL_PROVIDERNAME%

For SQL events, the name of the OLEDB provider.

%SQL_ROWCOUNTS%

For SQL events, the number of rows returned by the SQL query.

%SQL_SESSIONLOGINNAME%

For SQL events, the SQL Server login name used by the client to create the session.

%SQL_SPID%

For SQL events, the SQL Server Process ID associated with the process that initiated the change.

%SQL_SUCCESS%

For SQL events, indicates whether the event was successful.

%SQL_TEXTDATA%

For SQL events, the character string used in the SQL query.

%SSLTLS%

For Active Directory or AD Query events, indicates whether the LDAP operation or LDAP query is secured using SSL or TLS technology.

%SUBSYSTEMNAME%

The subsystem, or area of auditing, where the change event occurred (e.g., Active Directory, Service, Group Policy).

%TIMEBATCHED%

The UTC date and time when the batch of events were sent from the agent to coordinator.

%TIMEDETECTED%

The UTC date and time when the agent captured the event.

%TIMEOFDAY%

The UTC time (no date) when the event the agent captured the event.

%TIMERECEIVED%

The UTC date and time when the event was received by Change Auditor.

%TIMEZONE%

The name of the time zone used for the alert’s date/time stamps in the email.

%TIMEZONETIMEDETECTED%

The date and time when the Change Auditor agent captured the event, based on the selected time zone.

%TIMEZONETIMERECEIVED%

The date and time when the event was received by Change Auditor, based on the selected time zone.

%USERADDRESS%

The machine name or IP address of the machine where the change originated.

%USERADDRESSIPV4%

The IPv4 IP address of the machine where the change originated.

%USERADDRESSIPV6%

The IPv6 IP address of the machine where the change originated.

%USERDISPLAY%

The display name of the user who initiated the change.

%USERMAIL%

The email address of the user that initiated the change.

%USERNAME%

The NT4 logon name (domain\name) of the user who initiated the change.

%USERSID%

The security identifier (SID) assigned to the user who initiated the change.

%VALUENEW%

The new value that is now assigned to the object.

%VALUEOLD%

The old value that was assigned to the object.

The event details defined in the Event Details tab are placed in the Main Body pane using the following tag:

This tag should NOT be removed from the Main Body tab if you want to include the event details in the alert emails.

Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation