Chat now with support
Chat with Support

Change Auditor 7.0.3 - User Guide

Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Disable Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags

Excluded Accounts templates

To exclude accounts from auditing, you must first create an Excluded Accounts template which specifies the user or computer accounts that are to be excluded. You can then add this template to an agent configuration, which then needs to be assigned to the appropriate agents.

2
Select Excluded Accounts (under the Configuration heading in the Auditing task list) to open the Excluded Accounts Auditing page.
3
Click Add to start the Excluded Accounts wizard which will step you through the process of creating an Excluded Accounts template.
Template Name - Enter a name for the template.
Use the Browse or Search pages to locate and select the account to be excluded. Click Add to add the selected account to the list box at the bottom of the page.
Click Add to add the string to the Account list.
7
After specifying the accounts to be excluded, click Finish to create the template without assigning it to an agent configuration.
Clicking Finish creates the template, closes the wizard and returns to the Excluded Accounts Auditing page, where the newly created template will now be listed.
8
To create the template and assign it to an agent configuration, expand the Finish button and click Finish and Assign to Agent Configuration.
9
On the Agent Configuration page, select the agents assigned to use the modified agent configuration and click Refresh Configuration to ensure the agents are using the latest configuration.
3
Click Finish or expand the Finish button and click Finish and Assign to Agent Configuration.

Disabling allows you to temporarily stop excluding the specified accounts without having to remove the auditing template.

Place your cursor in the Status cell for the template to be disabled, click the arrow control and select Disabled.
The entry in the Status column for the template will change to ‘Disabled’.
2
To re-enable the auditing template, use the Enable option in either the Status cell or right-click menu.

Excluded Accounts wizard

The Excluded Accounts wizard is displayed when you click Add on the Excluded Accounts Auditing page. This wizard steps you through the process of creating a new Excluded Accounts template, identifying the user, computer or group accounts to be included in the template. You will also use this wizard to modify a previously defined Excluded Accounts template.

The following table provides a description of the fields and controls in the Excluded Accounts wizard:

On the first page of the wizard, enter a name for the template and optionally select the event classes/facilities to be excluded.

Template Name

Enter a descriptive name for the Excluded Accounts template being created.

Facility/Event Class data grid

The data grid located across the middle of the page displays all of the event classes available for auditing in Change Auditor.

By default, all event classes/facilities will be excluded for the selected accounts. To exclude individual event classes and/or facilities, use this grid to select the event classes and/or facilities to be excluded and use Add to add them to the Exclusion list box at the bottom of the page.

Exclusion list

The list box located at the bottom of this page displays the individual event classes or facilities selected for exclusion. Use the buttons above this list box to add or remove entries from this list.

Add | Add This Event - Click this option to add the selected events to the list box. This option is selected by default when more than one event is selected in the data grid.
Add | Add All Events in Facility - Click this option to add all of the events in the selected facility to the list box. This option is only available when a single event is selected in the data grid.
Remove - Select an entry in the list box and click the Remove button to remove it from the template.

Use this page to select the individual accounts to be excluded from auditing.

Browse page

Displays a hierarchical view of the directory objects in your environment allowing you to locate and select the accounts)to be excluded from auditing.

Once you have selected an account, click Add to add it to the list box at the bottom of the page.

Search page

Use the controls at the top of the Search page to search your environment to locate the desired account.

Once you have selected an account, click Add to add it to the list box at the bottom of the page.

Options page

Use the Options page to modify the search options used to retrieve directory objects.

 

Account list

The list box located across the bottom of this page, displays the accounts selected for exclusion. Use the buttons located above this list box to add and remove objects.

Add - Select an account in the Browse or Search page and click Add to add it to the list.
Remove - Select an entry from the list and then click Remove to remove it.

Use this page to optionally add additional user accounts (Domain(NetBIOS)\NT 4 account) that match a wildcard search expression to the excluded accounts list.

Search expression

In the text box, enter the string of characters and/or wildcard character to be used to search for additional user accounts that are to be excluded from auditing. Valid wildcards are:

Click Add to add the string to the Account list.

Account list

The list at the bottom of the page displays the wildcard search expressions to be used to search for additional user accounts that are to be excluded from auditing. Use the buttons to the left of the text box to add, remove and modify a search expression.

Add - Click Add to add the search expression in the text box to the Account list.
Remove - Select an entry in the Account list and click Remove to remove it from the list.
Modify - Select an entry in the Account list, make the necessary changes to the search expression (which is displayed in the text box) then click the Modify button to replace it in the Account list.
NOTE: If you click Add after modifying a search expression, an additional entry will be added instead of replacing the original search expression.

 

Registry Auditing

Introduction

The ability to audit registry settings improves operational efficiency dramatically. For example, some applications, such as virus scanning software, modify registry keys when an update is installed. By capturing these change events proactively, administrators can determine whether or not specific machines received an update.

Furthermore, other applications may warrant the tracking of modifications to certain registry settings to ensure that they have not been tampered with. Change Auditor’s registry auditing feature allows you to audit changes to a specific key or to a folder and its sub folders.

To capture registry events, you must define the registry keys to be audited and the events to be captured:

Related Documents