Chat now with support
Chat with Support

Change Auditor for EMC 7.2 - Event Reference Guide

Log Events

When event logging for EMC is enabled on the Agent Configuration page of the Administration Tasks tab in Change Auditor, EMC audited events will also be written to a Windows event log, named ChangeAuditor for EMC event log. These log events can then be gathered by InTrust and Quest Knowledge Portal for further processing and reporting.

NOTE: To enable event logging, select Event Logging on the Agent Configuration page (Administration Tasks tab), and the type of event logging to enable.

The following table lists the log events captured when EMC event logging is enabled. They are listed in numeric order by event ID.


EMC Folder Created


EMC Folder Deleted


EMC Folder Moved


EMC Folder Renamed


EMC Folder Ownership Changed

EMC Folder Ownership Changed (no from-value)


EMC Folder Access Rights Changed

EMC Folder Access Rights Changed (no from-value)


EMC File Created


EMC File Deleted


EMC File Moved


EMC File Renamed


EMC File Ownership Changed

EMC File Ownership Changed (no from-value)


EMC File Access Rights Changed

EMC File Access Rights Changed (no from-value)


EMC File Opened


EMC File Contents Written

Notes and Performance Considerations

This section contains a numerical list of notes for Change Auditor for EMC events.

Only EMC events initiated via a Common Internet File System (CIFS) are captured. EMC events initiated via FTP, NFS or other protocols are not captured.

Events are generated as described below when actions are taken on folders that have subordinate files and folders:

Moving a parent folder: For a ‘Move’ operation, only one event will be generated for the parent folder because action is only on the parent folder’s path, none of the child folders or files are physically moved.
Deleting a parent folder: For a ‘Delete’ operation, an event will be generated for each folder or file because each object will be removed separately.
Copying a parent folder: For a ‘Copy’ operation, an event will be generated for each folder and file because a new object will be created within the target folder.

If a parent folder is copied to a target folder that is not being monitored, no event will be generated. The target folder must be monitored in order for an event to be generated.

Security events do not return a ‘From’ value. The security events that return a ‘From’ value require synchronous event exchange and can have a negative impact on performance. Whereas, the ‘no from-value’ events allow Change Auditor to connect and use asynchronous interfaces.

You may improve performance by assigning an EMC Auditing template to more than one Change Auditor Agent. When multiple agents are assigned to the same EMC Auditing template, events will be load balanced between these agents. However, the downside is that the ‘where’ field for EMC events may contain any one of the agents being monitored by this single auditing template. In addition, if EMC event logging is enabled in Change Auditor, events will be written on multiple agent servers.

Change Auditor access control list (ACL) events (that is, discretionary access control list (DACL) and system access control list (SACL) changes) will not report inherited access control entry (ACE) changes.

For performance and limitations in EMC APIs, the ‘from’ value is not available for the following events when auditing EMC file servers:

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating