Chatta subito con l'assistenza
Chat con il supporto

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Create and maintain jobs

Previous Next

Create and maintain jobs

In addition to viewing the details about previously defined jobs, use the Purge and Archive page to define and schedule new jobs, and edit, disable/enable or delete existing jobs.

* 
CAUTION: Carefully review your current jobs before creating a new job or altering an existing job, as it is possible to create purge and archive conflicts.
* 
NOTE: If you have specific purge jobs that you want to complete before a scheduled archive, ensure that you leave enough time between the purge only jobs and the archive job.

Before scheduling a job, ensure that you have reviewed the best practice information in Planning your jobs.

To schedule a purge and archive job:
1
Open the Administration Tasks tab and select Configuration | Purge and Archive.
2
Click Add to open the Purge and Archive wizard.
3
Enter a descriptive job name.
4
Select the data that you want to purge and/or archive. The default is to process events older than 90 days.
* 
NOTE: Jobs created in previous versions will have the process time converted from weeks/months/quarters/years to the appropriate number of days.
5
If required, select Purge and choose the records to be deleted from the production database.

All events: Select this option to purge all events from the database that are older than the specified time.

Only selected events: Select this option to purge only selected events, based on specific criteria, from the database that are older than the specified time.

Use the criteria tabs to define the events to be deleted:

Who - purge events generated by a specific user, computer, group, or service account.

What - purge events based on subsystem, event class, object class, severity or results.

Where - purge events captured by a specific agent, domain or site.

Origin - purge events originating from a specific workstation or server.

See Purge selected records for a description of the criteria options.

* 
NOTE: If you specify criteria on more than one tab, the criteria specified on ALL of the tabs must be met before an event is deleted from the database or archived.
6
Select Archive events if you want to create an archive database. A yearly archive database will be created beginning on the first day of the selected month. For example, if you select Jan, the database will contain events for 12 months beginning on January 1.

If you have also selected to purge events based on specific criteria, any events that remain will be moved to the archive database.

* 
NOTE: A new archive database will be created for each year of events that you have in your production database.
NOTE: This option is not available, if there is an existing archive job.
7
Click Next.
8
Select the job scheduling options to define when the events are to be deleted or archived.
9
Click Finish to save the job and exit the wizard.
To edit a scheduled purge and archive job:
1
On the Purge and Archive page, select the job to be edited.
2
Click Edit to open the Purge and Archive wizard.
3
Modify the current settings as necessary.
4
Click Finish to save your selections and exit the wizard.
To disable a scheduled purge and archive job:
1
On the Purge and Archive page, select the job to be disabled, right-click and select Disable.

When a job is disabled, that particular database cleanup job will not take place until it is re-enabled.

2
To enable a previously disabled job, select the job from the Purge and Archive page, right-click and select Enable.
To delete a scheduled purge and archive job:
1
On the Purge and Archive page, select one or more jobs from the list and click Delete.
2
When prompted, confirm that you want to delete the scheduled jobs.

Purge and Archive wizard

Previous Next

Purge and Archive wizard

The wizard opens when you click Add on the Purge and Archive page under Administration Tasks. Use this wizard to define the records to be purged or archived, and the cleanup schedule.

* 
NOTE: A red flashing icon indicates that you have not yet entered the required information. Hovering your cursor over this icon displays a tool tip explaining what needs to be entered

Before scheduling a job, ensure that you have reviewed the best practice information in Planning your jobs.

Using the Purge and Archive wizard:
1
Begin by entering a descriptive name for the job.
2
Select the data that you want to purge and/or archive. The default is to process events older than 90 days.
* 
NOTE: Jobs created in previous versions will have the process time converted from weeks/months/quarters/years to the appropriate number of days.
3
Select whether you want to purge, archive, or both. If you have specific purge jobs that you want to complete before a scheduled archive, ensure that you leave enough time between the purge only jobs and the archive job.

Option

Notes

Purge events

If you select to purge events, specify the options that determine which events will be removed from the database.

All events: Select this option to purge all events from the database that are older than the specified time.

Only selected events: Select this option to purge only selected events, based on specific criteria, from the database that are older than the specified time.

Use the criteria tabs to define the events to be deleted:
Who - purge events generated by a specific user, computer, group, or service account.
What - purge events based on subsystem, event class, object class, severity or results.
Where - purge events captured by a specific agent, domain or site.
Origin - purge events originating from a specific workstation or server.

If you specify criteria on more than one tab, the criteria specified on ALL of the tabs must be met before an event is deleted from the database or archived.

See Purge selected records for a description of the criteria tabs and options that appear to specify the records.

Archive events

When this option is selected, a yearly archive database will be created beginning on the first day of the selected month. For example, if you select Jan, the database will contain events for 12 months beginning on January 1.If you have also selected to purge events based on specific criteria, any events that remain will be moved to the archive database.

NOTE: A new archive database will be created for each year of events that you have in your production database. If using SQL AlwaysOn and the Change Auditor database resides in an Availability Group, the archive database will be created on the current primary database node.

On initial run of archive or purge/archive job, an archive database will be created on the same database server as your production Change Auditor database.

The name of the archive database is as follows: Production database name appended with _Archive_ and the year of your oldest event and a selected month. Example: ChangeAuditor_Archive_2014 _August

The *.mdf file will have the same name except that the date will be appended to the end. Example: ChangeAuditor_Archive_2014__August20150310163244.mdf

If the archive database is moved or deleted a new archive database with the same name will be created (the *.mdf will differ because a new date is appended) the next time an archive or purge/archive job runs.

NOTE: If an archive database is deleted or moved before the end of an archived year, then a new one will be created and will only contain events that were not previously archived to the deleted or moved database.
NOTE: This option is not available, if there is an existing archive job.
4
Next, set the job schedule.

 

Option

Description

Occurs

Specifies if the job is to be run on a weekly or monthly schedule.

The default is monthly.

NOTE: When Monthly is selected, specify the monthly schedule to be used to run the job. For example, 1 for every month (default), 2 for every other month, 6 for every six months or twice a year, etc.

Batch Limit

Specifies the maximum number of events to be purged for each cycle.

That is, the job task checks every five minutes to determine if it needs to run a job. When the job runs, by default it purges a maximum of 500,000 events in that five minute period. If there are more than 500,000 events to be purged, then five minutes later another 500,000 events are processed until all of the events are purged or archived.If there are 500,000 events or less in a job, then the job task checks again in the next five minutes and obeys the ‘next run’ time.

NOTE: If SQL is slow or disk space is low, decrease this limit to 100000 or 50000. When this limit is decreased, the job will take longer to complete.

Every

When a Monthly schedule is selected, specifies on which day of the month the job is to be run:
First (default)
Last
Day #

When a Weekly schedule is selected, specifies the weekly schedule to be used to run the job. For example, 1 for every week, 2 for every other week, 3 for every third week, and 4 for every fourth week.

On Days

When a Weekly schedule is selected, defines the days of the week when the job is to be run.

The default is Monday through Friday.

Run Time

Defines the time of day when the job is to be performed.

The default start time is 12:00:00 AM.

NOTE: Based on the client’s current local date and time. The format used to display this date and time is determined by the local machine’s regional and language setting.

Last Run

This read-only field specifies the last time (date and time) the job ran.

NOTE: Based on the client’s current local date and time. The format used to display this date and time is determined by the local machine’s regional and language setting.

Next Run

This read-only field specifies the next time (date and time) when the job is scheduled to run.

NOTE: Based on the client’s current local date and time. The format used to display this date and time is determined by the local machine’s regional and language setting.
5
Select Finish.

Purge selected records

Previous Next

Purge selected records

Use the criteria tabs in the Purge and Archive wizard to define what specific records are to be deleted from the database. These tabs are enabled when you choose the Purge | Only selected events option.

* 
NOTE: If you specify criteria on more than one tab, the criteria specified on ALL of the tabs must be met before an event is deleted from the database or archived.

Who tab

Use the Who tab when you want to purge or archive events generated by specific users, computers, groups, or service accounts. By default (when the Who tab is empty), change events generated by all users, computers, groups, and service accounts will be deleted from the database or archived.

When multiple ‘who’ criteria is specified on this tab, Change Auditor uses the ‘OR’ operator to evaluate change events, purging or archiving events for activity performed by any of the users, computers, groups, or service accounts listed on this tab.

To purge events generated by a specific user, computer, group, or service account:
1
From the Purge and Archive wizard, select the Purge option, and then enable Only selected events to activate the criteria tabs.
2
Open the Who tab and click Add.
3
On the Select Active Directory Objects dialog, use the Browse or Search page to locate the user, computer, group, or service account to be included. Once you have located a directory object, select it and click Add to add it to the selection list at the bottom of the dialog.

Repeat this step to include each additional directory object.

4
After selecting one or more directory objects, click Select to save your selection and close the dialog.
* 
NOTE: Use Add with Events (instead of Add) to select users, computers, groups, or service accounts that already have an event associated with it in the database. Use this to purge events tied to users who have been removed from Active Directory.

Change Auditor now purges or archives events generated by the users, computers, groups, or service accounts listed on the Who tab.

* 
NOTE: To purge events NOT generated by the users, computers, groups, or service accounts listed on the Who tab, select the Exclude The Following Selection(s) check box at the top of the Who tab.
To use a wildcard expression to specify users or groups:
1
From the Purge and Archive wizard, select the Purge option, and then enable Only selected events to activate the criteria tabs.
2
Open the Who tab and expand Add and click Add Wildcard Expression.
* 
NOTE: If you used Add With Events instead, click Add Wildcard Expression on the Add Users, Computer, or Groups dialog.
3
On the Add Who dialog, enter the wildcard expression to be used to search for users (domain\user name) or groups (domain\group name).
Select the comparison operator to be used: Like or Not Like
Enter the pattern (character string and * wildcard character) to be used to search for a match. Use the * wildcard character to match any string of zero or more characters.
By default, the wildcard expression will be used to search for users. To search for groups, select the Group option.
 
* 
NOTE: When using the Group option, the Group Membership Expansion option on the Coordinator Configuration page (on the Administration Tasks tab) must be set to Expand all groups.
4
Click OK to close the dialog and add the wildcard expression to the Who tab.

Change Auditor now searches for and purges or archives change events generated by the users that are members of the groups whose name matches the specified wildcard expression.

What tab

Use the What tab to specify the what criteria to be used to determine whether an event is to be purged from the database. By default (when the What tab is empty), all events regardless of the subsystem, event class, object class, severity, or results will be purged or archived.

When multiple ‘what’ criteria is specified on this tab, Change Auditor uses the ‘AND’ operator to evaluate an event, purging only those events that meet all the specified criteria. However, when multiple subsystems (such as Active Directory, ADAM, and Exchange) are specified, Change Auditor uses the ‘OR’ operator to evaluate these entities, purging or archiving events that meet any of the specified subsystem criteria. This also applies when multiple event classes are specified. That is, when multiple event classes are specified, Change Auditor uses the ‘OR’ operator purging or archiving any of the specified events.

To purge events based on a specific entity:
1
From the Purge and Archive wizard, select Purge, and then enable Only selected events to activate the criteria tabs.
2
Open the What tab, expand Add (or Add With Events) and select the appropriate option. When you select an option, an additional dialog appears allowing you to enter specific criteria:
Subsystem | Active Directory - Add Active Directory Container dialog
Subsystem | AD Query - Add Active Directory Container dialog
Subsystem | ADAM (AD LDS) - Select the agent that hosts the ADAM/LDS Instance dialog
Subsystem | Exchange - Add Exchange Container dialog
Subsystem | Microsoft 365 - Microsoft 365 dialog
Subsystem | File System - Add File System Path dialog
Subsystem | Group Policy - Add Group Policy Container dialog
Subsystem | Local Account - Add Local Account dialog
Subsystem | Logon Activity - Add Logons dialog
Subsystem | Registry - Add Registry Key dialog
Subsystem | Service - Add Service dialog
Subsystem | SharePoint - Add SharePoint Path dialog
Subsystem | SQL - Add SQL Instance dialog
Event Class - Add Facilities or Event Classes dialog
Object Class - Add Object Classes dialog
Severity - Add Severities dialog
Result - Add Results dialog
3
Once you have selected or entered the specific criteria, click Add to add it to the selection list at the bottom of the dialog.
4
Click OK to save your selection and close the dialog.

Change Auditor now searches for and purges or archives change events that match the criteria listed on the What tab.

Where tab

Use the Where tab to purge events captured by specific agents, domains, or sites. By default (when the Where tab is empty), events captured by all agents will be purged or archived.

When multiple ‘where’ criteria is added to this tab, Change Auditor uses the ‘OR’ operator to evaluate events, purging or archiving events that were captured by any of the specified agents, domains or sites.

To purge events captured by a specific agent, domain or site:
1
From the Purge and Archive wizard, select Purge, and then enable Only selected events to activate the criteria tabs.
2
Open the Where tab and click Add.
3
On the Choose the Agents, Domains or Sites to Include dialog, use the Browse or Search pages to locate an individual agent, domain or site.

Once you have located an agent, domain or site, select it and click Add to add it to the selection list at the bottom of the dialog.

* 
NOTE: You can also select the Grid View option to select an agent from a list rather than using the Explorer View to locate it within your environment.

Repeat this step to include each additional agent, domain or site.

4
Click OK to save your selection and close the dialog.
* 
NOTE: Use Add With Events (instead of Add) to select agents, domains, or sites that already have an event associated with it in the database.

Change Auditor now searches for and purges or archives change events captured by the agents, domains, or sites listed on the Where tab.

* 
NOTE: To purge or archive events NOT captured by the agents, domains, or sites listed on the Where tab, select the Exclude The Following Selection(s) check box at the top of the Where tab.
To use a wildcard expression to specify agents, domains, or sites:
1
From the Purge and Archive wizard, select Purge, and then enable Only selected events to activate the criteria tabs.
2
Open the Where tab, expand Add and click Add Wildcard Expression.
* 
NOTE: If you used Add With Events instead, click Add Wildcard Expression on the Add Agents, Domains, Sites dialog.
3
On the Add Where dialog, enter the wildcard expression to be used to search for agents (NetBIOS name, domains or sites.
Select the comparison operator to be used: Like or Not Like
Enter the pattern (character string and * wildcard character) to be used to search for a match. Use the * wildcard character to match any string of zero or more characters.
By default, the wildcard expression will be used to search for agents. To search for domains or sites, select the Domain or Site option.
4
Click OK to close the dialog and add the wildcard expression to the Where tab.

Change Auditor now searches for and purges or archives change events captured by the agent(s), domains or sites whose name matches the specified wildcard expression.

To filter based on server type:
1
On the Where tab, expand Add and select Add Server Types.
2
Select to include Domain Controllers, Member Servers, Workstation Servers, Exchange Servers as required.
3
Click OK to close the dialog and add the server type to the ‘Where’ list.

When this purge job runs, Change Auditor searches for and purges events generated on the specified domains, sites, or agents for the specified server type.

Origin tab

Use the Origin tab to purge events originating from a specific workstation or server. By default, (when the Origin tab is empty) events will be purged regardless of the workstation or server from which they originated.

When multiple ‘origin’ criteria is specified on this tab, Change Auditor uses the ‘OR’ operator to evaluate events, purging or archiving events originating from any of the specified workstations or servers.

To purge events based on where they originated:
1
From the Purge and Archive wizard, select Purge, and then enable Only selected events to activate the criteria tabs.
2
Open the Origin tab and click Add.
3
On the Add Origin dialog, enter the wildcard expression to be used to include workstations or servers, based on their NetBIOS name or IP address:
Select the comparison operator to be used: Like or Not Like
Enter the pattern (character string and * wildcard character) to be used to search for a match. Use the * wildcard character to match any string of zero or more characters.
4
Click OK to close the dialog and add the wildcard expression to the Origin tab.
5
Change Auditor now searches for and purges or archives change events originating from workstations/servers whose machine name (NetBIOS name or IP address) matches the specified wildcard expression.
* 
NOTE: To purge or archive events not originating from the workstations or servers listed on the Origin tab, select Exclude The Following Selection(s) box at the top of the Origin tab.
To select an originating workstation or server that has an event in the Change Auditor database:
1
From the Purge and Archive wizard, select Purge, and then enable Only selected events to activate the criteria tabs.
2
Open the Origin tab and click Add With Events.

The Add Origin dialog appears populated with originating workstations/servers that have an event associated with it in the Change Auditor database.

* 
NOTE: Use Add Wildcard Expression to enter a wildcard expression to include workstations/servers from this list based on their NetBIOS name or IP address.
3
On the Add Origin dialog, select one or more originating workstations/servers from the list and click Add to add it to the selection list at the bottom of the page.
4
Click OK to close the dialog and add the selected workstations to the Origin tab.

Change Auditor now searches for and purges or archives change events originating from the selected workstations/servers.

To put your archive database in a high availability group:
1
Once the database has been created, ensure that the database is using SQL AlwaysOn Availability Groups and the coordinator is connecting to the availability group listener.
2
Wait for the archive job to complete.
3
Add the database to the availability group.

 

Working with Private Alerts and Reports

Previous Next

Working with Private Alerts and Reports
Introduction
Private Alerts and Reports page
Disable private alerts and reports
Move and delete private searches
Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione