Chat now with support
Chat with Support

Change Auditor 7.0.3 - User Guide

Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Disable Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags

Info tab

From the Info tab, you can view or enter the name and description of a search definition. You can also define the maximum number of records to be retrieve and display, or enable a refresh interval that defines how often the client is to retrieve and redisplay updated information.

The Info tab contains the following information and controls:

Search Name

Displays the name of the selected search.

When creating a search, place your cursor in this text box and enter a descriptive name for the search.

Search Description

Displays the description of the selected search.

To add a description to a new search, place your cursor in this text box to enter a brief description of the search.

Search Limit

Specifies the maximum number of records to retrieve and display. By default, the maximum of 50,000 records are returned from the database during a single request. Select this check box and use the arrow controls to change the search limit for the selected search.

Refresh Interval

Specifies how often the client is to retrieve and redisplay updated information. Select this check box and use the arrow controls to enable and set the refresh interval for the selected search.

When this option is checked, an extra field, Next Refresh, is added to the heading area of the Search Results grid.

1
Place your cursor in the Search Name text box and enter a descriptive name for the search.
2
Place your cursor in the Search Description text box and enter a brief description of the search.

The Search Limit field specifies the maximum number of records to retrieve and display for the selected search. By default, a maximum of 50,000 records are returned from the database during a single request.

The Refresh Interval field specifies how often to retrieve and redisplay updated information.

1
Select the Refresh Interval check box to enable this feature and activate the field to the right of this field.
When this option is checked, an extra field, Next Refresh, is added to the heading area of the search results grid whenever this search is run.

Who tab

The Who tab allows you to view or define the users, computers and groups to include in (or exclude from) the search definition. When multiple ‘who’ criteria is specified, Change Auditor uses the ‘OR’ operator to evaluate change events, returning events for activity performed by any of the users, computers, or groups listed.

The Who tab contains the following information and controls:

Runtime Prompt

Select this check box to prompt for the ‘who’ criteria when this search runs. That is, when you select Run, the Select Active Directory Object dialog is displayed allowing you to locate and select the users, computers, or groups to search.d

Exclude the Following Selection(s)

Select this check box to specify the users, computers, or groups to exclude from the search. That is, Change Auditor is to search all users, computers, and groups except those listed.

Include Event Source Initiator

Select this check box if you want to include Active Roles or GPOADmin events in the search. Selecting this check box instructs Change Auditor to retrieve all change events made by the specified user account, including those initiated by Active Roles and GPOADmin.

Who list

Contains the individual users, computers and groups to include in the search (or excluded from the search if the Exclude the Following Selection(s) option is checked).

By default, all users, computers, and groups are included in a new search definition and therefore, this list is empty.

1
On the Who tab, click Add to add an active user, computer, or group to the ‘who’ list.
3
After selecting one or more directory objects, click Select to save your selection and close the dialog.
NOTE: You can use Add with Events (instead of Add) to select a user, computer, or group that already has an audit event associated with it in the database. The accounts available for selection are based on the ‘when’ clause (When tab) and the search limit (Info tab) specified for the current search.

Use this to search for events that are tied to users who have been removed from Active Directory.

TIP: If you are running Active Roles or GPOADmin and want to include events generated by Active Roles or GPOADmin in the search, select the Include Event Source Initiator check box. For more information, see the Active Roles Integration or GPOADmin Integration sections in the Change Auditor Installation Guide.
1
On the Who tab, expand Add and select the Add Wildcard Expression option.
For example, LIKE *admin* finds all users with the character string ‘admin’ anywhere in the name.
NOTE: When using the Group option, the Group Membership Expansion option on the Coordinator Configuration page (on the Administration Tasks tab) must be set to Expand all groups.
3
After entering the wildcard expression to use, click OK to close the dialog and add the wildcard expression to the ‘who’ list.

What tab

Use the What tab to define ‘what’ entities to inlcude (or exclude) in the search. More specifically, using this tab you can create a search for events based on:

When criteria is specified on the What tab, Change Auditor retrieves only those events that match the criteria listed on the What tab. When multiple ‘what’ criteria is specified on this tab, Change Auditor uses the ‘AND’ operator to evaluate an event and returns only those events that meet all the specified criteria. However, when multiple subsystems (for example, Active Directory, ADAM and Exchange) are specified, Change Auditor uses the ‘OR’ operator to evaluate these entities, returning events that meet any of the specified subsystem criteria. This also applies when multiple event classes are specified. That is, when multiple event classes are specified, Change Auditor uses the ‘OR’ operator and returns any of the specified events.

Once criteria is added, the criteria list box contains an expandable view displaying the following information for all the criteria defined for the search definition:

Lists the entity (subsystem, event class, object class, severity, or result) selected. Expanding the Entity entry displays the specific criteria and any options or restrictions, defined as part of the search criteria.

Click the expansion box to the left of the Entity field to expand this view to display the following details:

Object Class - Change Auditor for Active Directory User Guide
Subsystem | Active Directory - Change Auditor for Active Directory User Guide
Subsystem | AD Query - Change Auditor for Active Directory Query User Guide
Subsystem | ADAM (AD LDS) - Change Auditor for Active Directory User Guide
Subsystem | Azure Active Directory - Office 365 and Azure Active Directory Auditing User Guide
Subsystem | Exchange - Change Auditor for Exchange User Guide
Subsystem | File System - Change Auditor for Windows File Servers User Guide, Change Auditor for EMC User Guide or Change Auditor for NetApp User Guide
Subsystem | Group Policy - Change Auditor for Active Directory User Guide
Subsystem | Logon Activity - Change Auditor for Logon Activity User Guide
Subsystem | Office 365 - Office 365 and Azure Active Directory Auditing User Guide
Subsystem | SharePoint - Change Auditor for SharePoint User Guide
Subsystem | SQL - Change Auditor for SQL Server User Guide
1
On the What tab, click Add. (Or expand the Add button and select Event Class.)
NOTE: You can use the Add with Events | Event Class command (instead of Add | Event Class) to select an entity that already has an event in the database.
2
On the Add Facilities or Event Classes dialog, select a single event, click Add, and select Add This Event or Add All Events in Facility.
To do this, select the Filter by parameter check box and then select from the available parameter values that are enabled (for example, for the DNS Entry Type parameter, you can select Static and/or Automatically expiring).
If the event has not been added to the Selections list box, click Add to add the event to the selection list.
If the event was previously added to the Selections list box, click Update Restriction to update the restrictions for the event.
NOTE: You can also use the Shift and Ctrl keys to add multiple event classes to the selection list. However, the restrictions pane and the Add | Add All Events in Facility command are not available when multiple event classes are selected.
NOTE: Select the Exclude the Above Selection(s) check box if you want to search for all event classes and facilities except those listed in the ‘what’ list.
1
On the What tab, expand Add and select Subsystem | Local Account.
NOTE: You can use the Add with Events | Subsystem | Local Account command (instead of Add | Subsystem | Local Account) to select an entity that already has an event in the database.
All Objects - select this option to include all objects
This Object - select this option to include individual objects
3
If you selected This Object, the data grid, which displays a list of all the users and groups in the local SAM databases on the selected Member Server, and associated buttons are enabled.
4
To add an account, select the account in the data grid and click Add to add it to the selection list at the bottom of the dialog. Repeat to add more accounts.
6
To select a local account on a different computer, click Browse to the right of the Account field. On the Select Active Directory Object dialog, use the Browse or Search pages to locate and select another computer. Click Select to save your selection and close the dialog.
NOTE: Select the Exclude the Above Selection(s) check box if you want to search for events generated by all local accounts except those listed in the ‘what’ list.
1
On the What tab, expand Add and select Subsystem | Registry.
NOTE: You can use Add with Events | Subsystem | Registry (instead of Add | Subsystem | Registry) to select an entity that already has an event in the database.
All Registry Keys include all registry keys
This Object include only the selected objects
This Object and Child Objects Only include the selected objects and its direct child objects
This Object and All Child Objects include the selected objects and all subordinate objects (in all levels)
3
By default, All Actions is selected meaning that all the registry actions listed are included in the search definition. However, you can clear the All Actions option and select individual actions for auditing.
All Actions include all the actions. When this option is selected, all the other options are disabled. (Default)
Add Value include when a new value is added to the selected registry key.
Delete Value include when a registry key value is removed.
Modify Value include when a registry key value is modified.
Add Key include when a new registry key is added.
Delete Key include when a registry key is removed.
4
When a scope option other than All Registry Keys is selected, the registry key hierarchy is enabled allowing you to locate and select an individual registry key.
Expand the hierarchy to locate and select a registry key. Then click Add to add it to the selection list box at the bottom of the dialog. Repeat to add more registry keys.
NOTE: If you selected Add With Events, the registry key hierarchy pane is replaced with a data grid listing the registry keys that have an event associated with it in the database.
6
To select a registry key on a different computer, click Browse to the right of the Path field. On the Select a Directory Object dialog, use the Browse or Search pages to locate and select another computer. Click Select to save your selection and close the dialog.
NOTE: Select the Exclude the Above Selection(s) check box if you want to search for events in all registry keys except those listed in the ‘what’ list.
1
On the What tab, expand Add and select Subsystem | Service.
NOTE: You can use Add with Events | Subsystem | Service (instead of Add | Subsystem | Service) to select an entity that already has an event in the database.
2
You can also click Add All to include all the listed services in the search definition.
3
To select services on a different computer, click Browse to the right of the You are viewing services on field. On the Select a Directory Object dialog, use the Browse or Search pages to locate and select another computer. Click Select to save your selection and close the dialog.
NOTE: Select the Exclude the Above Selection(s) check box if you want to search for events to all services except those listed in the ‘what’ list.
1
On the What tab, expand Add and select Subsystem | VMware.
NOTE: You can use Add with Events | Subsystem | VMware (instead of Add | Subsystem | VMware) to select a host that already had an event associated with it in the database.
2
On the Add VMware Host dialog, select the This Object option. Selecting this option enables the remaining fields and controls on this dialog.
Click the check box under the Host Name heading to specify the VMware host (vCenter Server or host computer) to include in the search.
NOTE: If both the Host Name and VM Name are specified, both expressions must be met before an event is returned.
Click Add to add the expression to the selection list at the bottom of the page.
NOTE: Select the Exclude the Above Selection(s) check box if you want to search for changes to all VMware hosts except those listed in the ‘what’ list.
NOTE: Select the Runtime Prompt check box on this dialog to prompt for the VMware host every time the search is run. When this check box is checked, the options on this dialog are disabled.

You cannot enable alerting for search definitions that use the Runtime Prompt option.

1
On the What tab, expand Add and select Severity.
NOTE: You can use Add with Events | Severity (instead of Add | Severity) to select a severity that already has an event associated with it in the database.
2
On the Add Severities dialog, select one or more severity levels and click Add to add them to the selection list box at the bottom of the dialog.
NOTE: Select the Exclude the Above Selection(s) check box if you want to search for all events except those assigned a severity level that is listed in the ‘what’ list.
NOTE: Select the Runtime Prompt check box on this dialog to prompt for a severity every time the search is run. When this check box is checked, the data grid and buttons on this dialog are disabled.

 

1
On the What tab, expand Add and select Result.
NOTE: You can use Add with Events | Result (instead of Add | Result) to select an entity that already has an event associated with it in the database.
2
On the Add Results dialog, select one or more results (none, success, protected or failed) and use Add to add them to the selected list box at the bottom of the dialog.
NOTE: Select the Exclude The Above Selection(s) check box if you want to search for all events except those with the selected result.
NOTE: Select the Runtime Prompt check box on this dialog to prompt for a result every time the search is run. When this check box is checked, the data grid and buttons on this dialog are disabled.

 

Where tab

The Where tab allows you to specify which agents to include (or exclude) in the search definition. You can select individual agents, all agents in a specific domain, or a given site. When multiple ‘where’ criteria is added to this tab, Change Auditor uses the ‘OR’ operator to evaluate change events, returning events captured by any of the specified agents, domains, or sites.

The Where tab contains the following information and controls:

Runtime Prompt

Select this check box to prompt for the ‘where’ criteria whenever the search is run. That is, when Run is selected, the Select Active Directory Objects dialog is displayed allowing you to locate and select the agents, domains, or sites to include in the search definition.

NOTE: When this check box is checked, Add is deactivated.

Exclude the Following Selection(s)

Select this check box to specify the agents, domains, or sites to exclude from the search. That is, Change Auditor is to return events generated from all agents except those listed in the Where list.

Where list

By default, all agents are included in a new search and therefore this list box is initially empty.

Once criteria is selected, this list box contains the agents, domains, sites, and server type (if specified) to include in the search (or exclude from the search if the Exclude the Following Selection(s) option is checked).

3
Click Add to add your selection to the selection list box at the bottom of the page.
NOTE: You can use Add With Events (instead of Add) to select an agent, domain, or site which already has an event associated with it in the database.
1
On the Where tab, expand Add and select Add Wildcard Expression.
For example, LIKE *local finds all agents with a NetBIOS name that ends in ‘local’.
3
After entering the wildcard expression to use, click OK to close the dialog and add the wildcard expression to the ‘where’ list.
1
On the Where tab, expand Add and select Add Server Types.
3
Click OK to close the dialog and add the server type to the ‘Where’ list.
Related Documents