Chatta subito con l'assistenza
Chat con il supporto

Change Auditor 7.6 - User Guide

Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags

Coordinator Statistics page

Use the View | Statistics | Coordinator menu command to display the Coordinator Statistics page, which provides a global view of all installed coordinators, including the current status of the coordinators.

The Coordinator Statistics page may contain the following information for each coordinator. The following table identifies the fields that are displayed by default. To display different fields, click the Field Chooser button located to the far left of the column headings and select the required columns:

 
* 
NOTE: All dates and times are based on the client’s current local date and time. The format used to display the date and time is determined by the local computer’s regional and language setting.
Table 1. Coordinator Statistics page: Field descriptions
Column
Default
Description

Agents Connected

Yes

Displays the number of agents to which this coordinator is connected.

Alerts Last 24 Hours

No

Displays the number of alerted event entries in the last 24 hours of the coordinator operation.

The value in this field is a hypertext link and when selected displays the alerts generated in the last 24 hours.

Alerts Last Hour

No

Displays the number of alerted event entries in the last 60 minutes.

The value in this field is a hypertext link and when selected displays the alerts generated in the last 60 minutes.

Alerts Today

Yes

Displays the number of alerted event entries since local midnight today.

The value in this field is a hypertext link and when selected displays the alerts generated since local midnight today.

Alerts Total

No

Displays the number of alerted events found in the coordinator database.

The value is this field is a hypertext link and when selected displays the alerts in the coordinator database.

Alerts Yesterday

No

Displays the number of alerted event entries from local midnight today to local midnight yesterday.

The value in this field is a hypertext link and when selected displays the alerts generated yesterday.

Architecture

No

Displays whether the coordinator is installed in a 32-bit (x86) or 64-bit (x64) environment.

Client Port

Yes

Displays the port number assigned to the coordinator Service Connection Point (SCP).

Coordinator

Yes

Displays the computer name of the coordinator.

Coordinator FQDN

No

Displays the fully qualified domain name of the coordinator.

Coordinator ID

Yes

Displays the ID of the coordinator that processed the event.

DB Catalog

Yes

Displays the name assigned to the coordinator database during the coordinator installation.

DB Instance

No

Displays the name of the SQL instance that is being used for the coordinator database.

DB Size

Yes

Displays the size of the coordinator database, in kilobytes.

Domain

Yes

Displays the name of the domain where the coordinator is located.

Events Last 24 Hours

No

Displays the number of event entries received from all agents in the last 24 hours of coordinator operation.

The value in this field is a hypertext link and when selected launches a quick search to display the events generated in the last 24 hours.

Events Last Hour

No

Displays the number of event entries received in the last 60 minutes of the coordinator operation.

The value in this field is a hypertext link and when selected launches a quick search to display the events generated in the last 60 minutes.

Events Today

Yes

Displays the number of events encountered since 12:00 a.m. of the current day (based on the relative coordinator computer's time).

The value in this field is a hypertext link and when selected launches a quick search to display the events generated today.

Events Total

No

Displays the number of entries found in the coordinator events database.

The value in this field is a hypertext link and when selected launches a quick search to display all events encountered since the agent was started.

Events Yesterday

No

Displays the number of events encountered between 12:00 a.m. yesterday and 12:00 a.m. of the current day (based on the relative coordinator computer's time).

The value in this field is a hypertext link and when selected launches a quick search to display the events generated yesterday.

Forest

No

Displays the name of the forest where the coordinator resides.

Startup Time

No

Displays the date and time when the coordinator was last initialized.

Status

Yes

Displays the current status of the coordinator:

running
initializing
stopped
failed

Uptime

Yes

Displays how long the coordinator has been running.

Version

Yes

Displays the current coordinator version installed on the server.

Coordinator system tray icon

During the coordinator installation process, Change Auditor automatically loads an icon in the system tray of each coordinator. This system tray icon allows you to enable/disable the coordinator, display the status of the coordinator installed on the current machine, and to change the database instance and service accounts used to access the database. Whenever a coordinator is not active, a status indicator will appear in the lower left corner of this icon to represent its current status:
Red - inactive
Yellow - initializing

By right-clicking on the coordinator icon in the system tray, a context menu is displayed which consists of the following commands:

 
Table 2. Coordinator system tray icon: Right-click commands
Command
Description

Coordinator Status

Displays the Coordinator Status dialog which assists you in determining if the coordinator is running, what version is installed and how active the coordinator is.

See Change Auditor Coordinator Status dialog for a full description of this status dialog.

Enable/Disable Coordinator

Starts or stops the coordinator.

View Coordinator Log

Opens the log viewer to review the events recorded in the coordinator log (ChangeAuditor.ServiceLog.nptlog).

For example: %ProgramFiles%\Quest\ChangeAuditor\Service\Logs\ChangeAuditor.ServiceLog.nptlog

Coordinator Configuration

Starts the Coordinator Configuration Tool which allows you to:
modify the credentials used to access the coordinator database
specify a ‘static’ port to be used for communication with the coordinator
specify where the Active Directory/GPO protection templates are to be stored: SQL (default) or Active Directory
specify the authentication method to use to make Active Directory requests.

See Coordinator Configuration tool for a description of how to use this utility.

Load On Startup

Automatically loads the system tray application when the coordinator starts.

About

Display information about Change Auditor including the installed version number and licensing information.

Exit

Closes the system tray application.

Change Auditor Coordinator Status dialog

The Change Auditor Coordinator Status dialog helps you determine if the coordinator is running and what version is installed on the server. The other status information on the dialog is broken down into the following sections:
Coordinator Information - displays the status, version number, SCP port and installation name for the coordinator
Database Information - displays the coordinator database server, name and size
Agent Connections to this Coordinator - displays the total number of agents that are connected to the coordinator
Events and Alerts on this Coordinator - displays status information regarding events, alerts, and search activities for this particular coordinator
Agent Ports on this Coordinator - displays all ports used for communication.

The Change Auditor Coordinator Status dialog contains the following information:

 
Table 3. Change Auditor Coordinator Status dialog: Status information
Field
Description
Coordinator Information

Coordinator Status

Displays the current status of the coordinator:

Running
Initializing
Stopped
Failed

This value will normally be ‘Running’. If the credentials supplied for the database access during the coordinator installation are incorrect or have expired, this field will display ‘Not Running’ indicating that the coordinator did not successfully start. If this happens, use the Database Configuration Utility to change the permissions trying to access the database.

Installation Name

Displays the installation name assigned to the coordinator during installation.

Version

Displays the current version of the coordinator installed on the server.

Database Information

SQL Server

Displays the name of the server where the coordinator resides.

Database Catalog

Displays the name assigned to the coordinator database during the coordinator installation.

Database Size

Displays the size of the coordinator database, in megabytes.

Database Free Space

Displays the available free space in the coordinator database.

Agent Connections to This Coordinator

Agents Connected (Total)

Displays the total number of agents connected to this coordinator.

Events and Alerts on This Coordinator

Total Events

Displays the number of events this coordinator has received since it was last started.

Events in Receive Buffer

Displays the number of events that have not yet been processed by this coordinator and forwarded to the client.

Average Events Per Second

Displays the average number of events processed by this coordinator per second.

Agent Ports on This Coordinator

Client SCP Port

Displays the port number assigned to the coordinator Service Connection Point (SCP).

Public SDK Port

Displays the port number assigned for external applications to access the coordinator.

Agent Port

Displays the port number assigned to the agents to communicate with the coordinator.

Coordinator Configuration tool

You can use the Coordinator Configuration tool to modify the credentials used by the coordinator when accessing the database. Right-clicking the coordinator system tray icon and selecting Coordinator Configuration, displays the Coordinator Configuration tool. From here, you can:
modify the credentials to be used to access the Change Auditor database
change the database instance
specify static SCP listening ports to be used to communicate with the coordinator
specify where the Active Directory and GPO protection templates are to be stored: SQL (default) or Active Directory
specify the authentication method to use to make Active Directory requests.

This tool consists of the following tabbed pages:
Security page
Ports page
Protection page
LDAP Authentication page
Security page

From the Security page, you can change the database instance and service accounts used to access the database.

* 
NOTE: If User Account Control (UAC) is enabled, a confirmation dialog appears where you can authorize the Coordinator Configuration tool to use the required elevated rights.

Use the fields/options to enter the credentials to be used to access the designated SQL Server/instance as described below:

SQL server and instance
Enter the name or IP address of the SQL instance to be used. (i.e., <Server Name>\<Instance Name>). You can also click Browse to locate and select the SQL server and instance.
* 
NOTE: If your database is in a SQL AlwayOn Availability Group, specify the name of the availability group listener for the SQL Server name.
Name of database Catalog
This displays the name assigned to the Change Auditor database.
Connect using
Specify whether Windows authentication, Microsoft Entra authentication or SQL server authentication will be used when communicating with the SQL database instance. (The authentication method is set up when SQL is installed.)
* 
NOTE: Microsoft Entra authentication is only supported for SQL Managed Instances.
Depending on the authentication option selected, enter the appropriate user credentials.
Windows Authentication - this is selected by default and will use Windows authentication to access the database.
If you are using a group Managed Service Account:
The account must end with '$' and the password must be blank.
The domain should be entered in the Fully Qualified Domain Name format.
The Coordinator Configuration Tool must be run as the administrator. (Right-click and select Run as administrator.)
The coordinator host must be correctly configured to retrieve the managed password for the specified group Managed Service Account.
The local Administrator group must be added to the group policy debug programs. (Found under Local Computer Policy | Windows Settings | Security Settings | Local Policies | User Rights Assignments | Debug programs.)
SQL Server Authentication - select this to use SQL Server authentication to access the database.
Microsoft Entra Authentication - select this to use Microsoft Entra authentication to access the database located on an Azure SQL Managed Instance.
Azure SQL Managed Instance:
For a private endpoint, specify the managed instance host name in the following format: MyHostName.dns_zone.database.windows.net
For private endpoint with default port, port specification is not explicitly required. For example: MyHostName.b1b2a3d4e5f7.database.windows.net
or
MyHostName.b1b2a3d4e5f7.database.windows.net,1433
For a public endpoint, specify the managed instance host name and port in the following format: MyHostName.public.dns_zone.database.windows.net,3342
For public endpoint, port specification is required. For example: MyHostName.public.b1b2a3d4e5f7.database.windows.net,3342
NOTE:
Azure SQL Managed Instance (PaaS) is supported using SQL authentication or Microsoft Entra Authentication with an encrypted connection. Windows authentication is not supported.
For an Azure SQL Managed Instance (PaaS), SQL authentication or Microsoft Entra authentication with an encrypted connection must be used.
Single User Mode is not supported during installation or upgrade when using Azure SQL Managed Instance. Ensure that all SQL connections to the Change Auditor database are closed before and during the upgrade.
Azure SQL Managed Instance (HA) high availability is supported using the read-write listener endpoint.
Performance may vary depending on network configuration, topology, and Azure SQL Managed Instance configuration.
Login ID
Enter the user name for the account to be used to access the SQL server instance.
Password
Enter the password associated with the user account entered above.
Domain
Enter the domain name for the Windows account used to access the designated SQL server instance. (Only valid for Windows Authentication.)
Encryption

Select the appropriate level of encryption for the data sent between the coordinator and SQL server.
Strict (SQL Server 2022): Select this option for SQL Server 2022 and Azure SQL Managed Instance or when the instance has Force Strict Encryption enabled.
Mandatory: Select this option when the instance has Force Encryption enabled. It can also be used when no encryption is configured for the instance, but Trust server certificate is enabled. While this method is less secure than installing a trusted certificate, it does support an encrypted connection.
Optional

Enabling Trust server certificate, when 'Optional' or 'Mandatory' encryption is selected, or if the server enforces encryption, means that SQL Server will not validate the server certificate on the client computer when encryption is enabled for network communication.

Under Host name in the certificate, you can provide an alternate, yet expected, Common Name (CN) or Subject Alternative Name (SAN) in the server certificate. You would use this option when the server name does not match the CN or SAN, for example, when using DNS aliases.

Leaving this option blank allows certificate validation to confirm that the CN or SAN matches the server name.

* 
NOTE: Change Auditor supports TLS 1.3; however, TLS 1.2 remains a requirement since SQL Server 2022 satellite services require TLS 1.2 to be enabled.
Ports page

By default, Change Auditor dynamically assigns communication ports for each installed coordinator. However, using the Ports page of the Coordinator Configuration dialog, you can specify static SCP listening ports to be used to communicate with the coordinator.

If you upgraded from a 5.x installation where static ports were defined, these static ports are retained as part of the upgrade process. However, the Agent Port setting, which is used by 6.0 agents, is set to use a dynamic port. Check with your system administrator to determine whether this new connection should also be using a static port.

Enter the ports to use to communicate with the coordinator:

* 
NOTE: A zero (0) indicates that a dynamic port is being used. If you have set a static port and wish to use a dynamic port, change the port number back to 0.
Client Port
Enter the static port number to be used by the client to communicate with the coordinator.
Public SDK Port
Enter the static port number to be used by external applications to access the coordinator.
Agent Port
Enter the static port number to be used for communication between a agent and a coordinator.
Protection page

By default, Change Auditor stores the Active Directory and GPO protection templates in SQL. However, you can use the Protection page of the Coordinator Configuration dialog to store the Active Directory and GPO protection templates in Active Directory instead of SQL.

When you select to store your Active Directory and Group Policy protection templates in Active Directory, you can use the Security feature on the Active Directory Protection page or Group Policy Protection page to provide an additional layer of security. The additional setting is intended when you require tighter security ACLs on your Active Directory and GPO objects and templates (for example, the Change Auditor SQL database may not be fully secured by ChangeAuditor Administrators). For more information about setting this additional security on protected objects, see the Change Auditor for Active Directory User Guide.

Specify the appropriate option for storing Active Directory/GPO protection and ADAM (AD LDS) protection:

Store Active Directory/GPO protection in:
Select one of the following options:
SQL (default)
AD
Store ADAM (AD LDS) protection in:
Select one of the following options:
SQL (default)
AD
LDAP Authentication page

From this page you can specify the authentication method to use to make Active Directory requests.

Select Simple Authentication and Security Layer (SASL) to use Kerberos or NTLM.
Select Secure Socket Layer (SSL) to use certificates.
IMPORTANT: If you choose SSL, please see the Change Auditor Install Guide for important guidelines.
NOTE: When making Active Directory requests, credentials and message content are encrypted for both authentication methods.
Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione