Converse agora com nosso suporte
Chat com o suporte

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Deploy agents

Previous Next

Deploy agents

Agents deployed to servers (domain controllers and member servers) track changes in real time. When a change is made on a server, the agent captures the change information (audit event), batches and forwards the information to the coordinator, which then inserts the event details into the Change Auditor database.

* 
NOTE:  
If the Change Auditor for Logon Activity Workstations auditing module is licensed, you must deploy agents to the workstations that you want to monitor.
For information on deploying and installing agents in a foreign forest, see the Change Auditor Installation Guide.
To deploy agents:
1
Verify that the user account used to deploy agents is at least a Domain Admin in every domain that contains servers and workstations where agents are to be deployed.
2
Verify that the user account is also a member of the ChangeAuditor Administrators group in the specified Change Auditor installation.
3
Open the Change Auditor client. The Deployment page is displayed if agents have not yet been deployed. Otherwise, use View | Deployment to open the Deployment page.

The Deployment page is populated with the servers (domain controllers and member servers) and workstations discovered in your Active Directory environment.

* 
NOTE: The Deployment page may initially be empty until the current forest’s server topology has been initially harvested. This page is automatically refreshed after this task has completed.
4
From this list, select an entry and select Credentials | Set to enter the proper user credentials for installing agents on the selected domain.
* 
NOTE: If you are using a group Managed Service Account, see Using group Managed Service Accounts (gMSA) for additional requirements.

On the Domain Credentials dialog, select the domain from the list and click Set. On the Logon Credentials dialog enter the credentials of a user with administrator rights on the selected domain.

5
After entering the proper credentials, select the entry back on the Deployment page and select Credentials | Test. If you get a Valid Creds status in the Deployment Result column, you can start deploying agents to that domain.

If you get a Logon Failure status in the Deployment Result column, use the Credentials | Set command to reenter the proper credentials for installing agents.

6
By default, the Change Auditor agent folders (Agent, Systray) is installed to %ProgramFiles%\Quest\ChangeAuditor. You can, however, change the location of the installation folder by clicking Advanced Options.
7
Select one or more servers and workstations on the Deployment page and click Install or Upgrade.
8
On the Install or Upgrade dialog select one of the following options to schedule the deployment task:
Now (default)
When

If you select the When option, enter the date and time when you want the deployment task to be initiated. Click OK to initiate or schedule the deployment task.

Back on the Deployment page, the Agent Status column will display ‘Pending’ and the When column will display the date and time specified.

* 
NOTE: To cancel a pending deployment task, select the server and workstation and then click Install or Upgrade. On the Install or Upgrade dialog, click Clear Pending.
9
As agents are successfully connected to the coordinator, the corresponding Deployment Result cell displays ‘Success’, the Agent Status cell displays ‘Active’ and a desktop notification is displayed in the lower right-hand corner of your screen.
* 
NOTE: To deactivate these desktop notifications, select Action | Agent Notifications.

After the deployment, you will see a previous version of an agent in the Version cell if you installed the agent on an unsupported platform. See the Change Auditor Installation Guide for more details.

Connect to a different foreign forest/update credentials

Previous Next

Connect to a different foreign forest/update credentials

Once an agent is installed, you can select to use a different coordinator in another forest or update the credentials.

* 
IMPORTANT: The agent must be restarted once a change has been made.
To update foreign agent credentials from the Change Auditor client
1
Select the Deployment tab.
2
Select one or more deployed foreign agent servers or workstations and click Foreign Agent Credentials.
* 
NOTE:  
Multiple agents in the same foreign forest can be selected, scheduled and (when scheduled to do so) processed concurrently.
Agents in different foreign forests must be selected and scheduled separately but (when scheduled to do so) can be processed concurrently.
3
Select one of the following options to initiate or schedule the task and click OK:
Now (default)
When (If you select this option, enter the date and time when you want the task to initiate.)
4
Enter the Active Directory credential information to locate the Change Auditor Installation and allow the agent to connect to the coordinator in the remote forest.
Coordinator Forest Root (example.com): Enter the coordinator forest root domain name and an account to be used by the agent to connect to the coordinator.
Account Name (example.com\user): Enter the name of the account that can find and connect to a coordinator in the Active Directory forest.
Account Password : Enter the password associated with the specified account.
Account Type: Select the account type of the specified account.
* 
NOTE: If you are using a group Managed Service Account, see Using group Managed Service Accounts (gMSA) for additional requirements.
5
Click OK to initiate or schedule the credential update task.

 

* 
NOTE: You can alternatively update the forest and credentials using the Coordinator Credential Configurator which is accessed by:
Right-clicking the agent SysTray and selecting Coordinator Credential Configurator, or
Running the CoordinatorCredentialConfigurator.exe file in the agent installation folder on the agent server. (By default, this is located under %ProgramFiles%\Quest\ChangeAuditor\Agent.)

If User Account Control is enabled, you may need to authorize the Coordinator Credential Configurator to use the required elevated permissions by right-clicking on the tool and selecting 'Run as administrator' option.

Change the agent installation location and system tray option

Previous Next

Change the agent installation location and system tray option

By default, the Change Auditor agent folders (Agent, Systray) is installed to %ProgramFiles%\Quest\ChangeAuditor\. You can, however, change the location of the installation folder by selecting Advanced Options on the Deployment page.

* 
NOTE: The other option available under Advanced Options are discussed in the Active Roles Integration section in the Change Auditor Installation Guide.
To change the agent installation location and system tray option:
1
On the Deployment page, select one or more agents from the server/workstation list, and click Advanced Options.
2
To change the installation folder, check the Specify Agent Installation Location check box and enter the location to use for the agent installation folder.
* 
NOTE: The location entered is used for all servers and workstations with agents selected on the Deployment page.
3
Select the appropriate option to specify the action to take if the path entered cannot be created on a server or workstation:
Use the default location and continue (Default)
Fail the installation/upgrade for that agent
4
By default, the system share (ADMIN$) is used; however, you can use a different share by selecting the Specify a Custom Share on the Remote Server option and entering the share to use.
5
Use the Launch ServiceStatusTray on startup options to indicate whether you would like to run/install the Change Auditor agent system tray icon when the agent is started.
Yes - launch the ServiceStatusTray on startup
No - do not launch the ServiceStatusTray on startup
Do not change - do not change the ServiceStatusTray launch option (default)
* 
NOTE: The agent system tray icon (and the LaunchServiceStatusTray on startup setting) applies only to server agents. For more information about this icon, see Agent system tray icon.
6
Use the Restart Agent on failure options to indicate whether to restart an agent if it fails to start.
Yes - restart agent on failure.
No - do not restart agent on failure
Do not change - do not change the restart agent option (default)
* 
NOTE: When you select Yes, the agent is restarted if a main Change Auditor service goes offline due to a crash, failure or unknown exception; however, if the agent is gracefully shut down, the service will not be restarted.
7
Optionally, select Save as Default to save the current advanced deployment settings as the default for future agent deployments.

You can select Restore to Default to restore all the advanced deployment settings to the factory default or last saved defaults.

8
Click OK to save your selections and close the dialog. These deployment settings apply to all the agents selected on the Deployment page.

Enable auto deployment

Previous Next

Enable auto deployment

Auto deployment allows you to automatically deploy an agent to any new domain servers that are added to your forest.

* 
NOTE: Auto deployment does not apply to servers already in the topology that are promoted to domain controllers.
To enable auto deployment:
1
From the Deployment page, click Auto Deploy.
2
Select the Enable Auto Deployment to New Servers option.

If you enable Do Not Deploy on Read-Only DCs (Not Recommended), when a read-only domain controller is added to the domain, the agent is not installed on it.

If Do Not Deploy on Read-Only DCs (Not Recommended) is disabled (default state), when a read-only domain controller is added to the domain, the agent is installed on it.

3
If required, select Enable Auto Deployment to New Workstations check boxes.
4
Select one of the following options to specify the servers to which agents are to be deployed:
All New Servers/Workstations (default)
Include New Servers/Workstations in Container(s)
Exclude New Servers/Workstations in Container(s)
Include Read-Only DCs (default)
5
When the Include New Server/Workstations in Container(s) or Exclude New Server/Workstations in Container(s) option is selected, click Add to locate and select individual containers.
6
Clicking Add displays the Select Active Directory Objects dialog. Use the Browse or Search page to locate and select a container. Once a container is selected, click Add to add it to the Selection list. Once you have added all the containers, click Select to save your selection and close the dialog.

The containers specified are displayed in the Containers list on the Auto Deploy to New Computers dialog.

7
By default, Change Auditor checks if new servers are added to the forest every 60 minutes and if found will automatically deploy an agent. However, you can use one of the following Check for New Computers Added to Forest options to change this interval:
Every nn Minutes
Every Day At <time>
8
Click Set to specify the credentials of a user with administrator rights on the selected domains. Click OK to save these user credentials and close the Logon Credentials dialog.
* 
NOTE: If you are using a group Managed Service Account, see Using group Managed Service Accounts (gMSA) for additional requirements.
9
Click OK to save your selections and close the Auto Deploy to New Computers dialog.
Documentos relacionados

The document was helpful.

Selecione a classificação

I easily found the information I needed.

Selecione a classificação