Chat now with support
Chat with Support

Change Auditor 7.0.3 - User Guide

Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Disable Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags

Change Auditor Agent Status dialog

The Change Auditor Agent Status dialog helps you determine if the agent is running and what version is installed on the domain controller. The other status information in the dialog is broken down into the following sections:

Agent Information - displays the status, version number, the coordinator installation name to which the agent is connected, and the agent’s database size
Events - displays audit event activity
Coordinator Connection - displays information regarding the connection between the agent and the coordinators

This dialog contains the following status information:

Agent is

The current agent status:

Version

The current version of the agent installed on the server.

Installation Name

The installation name assigned to the coordinator to which the agent is connected.

DB Size (KB)

The size of the agent database, in kilobytes. This is dependent on the number of monitored Active Directory, registry and file system objects, and the number of events queued for transmission to the coordinator. If a coordinator is not available, this database may become large. When the events are successfully sent to a coordinator, the database space is re-used for subsequent events, but the displayed database size will not decrease.

License

The licenses that are applied. Use the arrow controls to scroll through the licenses.

Contains indicators of internal Change Auditor activity and may be used by Quest Support should they need to diagnose agent problems.

AD Events

If licensed (Change Auditor for Active Directory), this is the number of Active Directory related events processed by the agent. This field will be blank for agents running on member servers.

ADAM Events

If licensed (Change Auditor for Active Directory), this is the number of ADAM events processed by the agent.

Exchange Events

If licensed (Change Auditor for Exchange) and configured, this is the number of Exchange Mailbox events processed by the agent.

Local Security Events

If licensed (Change Auditor for Active Directory), this is the number of local user and group (SAM) events processed by the agent.

File System Events

If licensed (Change Auditor for Windows File Servers) and configured, this is the number of File System events processed by the agent.

Registry Events

If configured, this is the number of Registry events processed by the agent.

VMware Events

If configured, this is the number of VMware events processed by the agent.

SQL Events

If licensed (Change Auditor for SQL Server) and configured, this is the number of SQL Server events processed by the agent.

NetApp Events

If licensed (Change Auditor for NetApp) and configured, this is the number of NetApp filer events processed by the agent.

EMC Events

If licensed (Change Auditor for EMC) and configured, this is the number of EMC events processed by the agent.

SharePoint Events

If licensed (Change Auditor for SharePoint) and configured, this is the number of SharePoint events processed by the agent.

Azure AD Events

If licensed (Change Auditor for Active Directory) and configured, this is the number of Azure AD events processed by the agent.

Logon Events

If licensed (Change Auditor for Logon Activity User), this is the number of user logon activity events processed by the agent.

Office 365 Events

If configured (Change Auditor for Exchange and Change Auditor for SharePoint), this is the number of Exchange Online, SharePoint Online, and OneDrive for Business events processed by the agent.

Other Events

This is the number of events processed by the agent that do not ‘fit’ into the other event categories (e.g., Authentication Services events, Service events, etc.).

FluidFS Events

If licensed (Change Auditor for FluidFS), this is the number of Fluid File System events processed by the agent.

Excluded Events

If configured, this is the number of events excluded by the agent because they originated from a user or computer that was defined as an excluded account.

Skype for Business Events

If licensed (Change Auditor for Skype for Business) and configured, this is the number of Skype for Business events processed by the agent.

Connected

The computer name (and SCP port) of the coordinators to which this agent is currently connected.

NOTE: For more details on agent connection behavior, see Installation Notes and Best Practices in the Quest Change Auditor Installation Guide.

All

The list of all available coordinators in the installation.

Last Conf Update

The time when the agent last downloaded the agent configuration information/settings.

Events Last Sent

The local time when the last event was sent. If no events have been detected by Change Auditor recently, this time may be fairly old.

Events Sent

The number of events that have been sent to a coordinator since the agent was last started.

Acknowledged

The number of events that a coordinator has acknowledged.

Normally, this value will be the same as the Events Sent. However, it may be smaller if the coordinator is not running or if a large number of events are being processed by the coordinator which may be slowing it down. Events may also be lost due to communication problems, in which case the agent will try to re-send the events.

Events Waiting

The number of events in the agent database that are waiting to be forwarded to a coordinator.

This value should be at or near zero when the server is idle, but can grow if it is busy. If the value never returns to zero, it may indicate that the agent is having difficulty communicating with the coordinator service. If this is the case, contact Technical Support for assistance.

View agent status/statistics

2
By default, the agent activity on all servers for the past month, excluding uninstalled agents, is displayed. Use the controls at the top of this pane to specify the type of agented objects to be included as well as the date range.
5
By default, this pane will only include active and inactive (installed) agents in the pie chart. You can however, select the Show Uninstalled Agents check box to include agents that are set as ‘uninstalled’ in the pie chart.
1
Open the Agent Statistics page and click Refresh to retrieve updated information.
2
Click Show Uninstalled Agents to include uninstalled agents. Click Hide Uninstalled Agents to exclude uninstalled agents from the display.
Click Advanced Options on the Deployment page to display the Advanced Deployment Options dialog. From this dialog, select the appropriate Launch ServiceStatusTray on startup option (Yes or Do not change).
2

Manage Change Auditor agents

NOTE: You can use the Action | Agent Notifications menu command to hide (or display) the desktop notifications that are displayed when these processes are performed.
NOTE: The Stop Agent command is only available when an agent is ‘Active’.
5
If you so choose, click Set Agent Uninstalled to flag the selected agent as ‘Uninstalled’.
6
Click Show Uninstalled Agents to include uninstalled agents in the Agent Statistics list. Click Hide Uninstalled Agents to exclude uninstalled agents from the display.
2
On the confirmation dialog, click Yes to stop the agent service.
NOTE: The Start Agent command is only available when an agent is ‘Inactive’.

Agent Log page

A new log page is created whenever the View Agent Log command is selected and displays the event details recorded in the trace log for the selected agent.

The data grid and event details pane on this page contains the following information for each log entry. The default column in the table below identifies the fields that are displayed in the data grid by default. To display different fields, click the Field Chooser button located to the far left of the column headings.

File

No

Specifies the name of the source file that logged the message.

Function

No

Displays the name of the function that logged the message.

ID

No

Displays the event ID used to identify the event.

Level

Yes

Indicates the severity of the event message:

Line

No

Specifies the line within the source file that logged the message.

Logger

No

Specifies the logger used to log events.

Message

Yes

Displays the event message that was posted to the log.

Thread

No

Specifies the thread within the source file that logged the message.

Timestamp

Yes

Displays the date and time when the entry was posted to the log.

Use the tool bar buttons at the top of the log page to scroll through the log and search for log entries.

Refresh

Use to refresh and reload the log entries from the source file.

Copy

Use to copy the selected content to the clip board. Use with the Select All button to copy and paste the contents of the entire log into another application.

Select All

Use to select the entire contents of the log. Use with the Copy button to copy and paste the contents of the log into another application.

Find:

Enter a specific string of characters or word to be located in the log and use the Find button to locate the text.

Show Matched Entries Only (Ctrl+M)

Use to display only the entries that match the word/string of characters entered in the search text.

Match Case

Use to locate entries that match the case as it was entered in the search text.

Previous

Use to move to the previous entry that contains the search text.

Next

Use to move to the next entry that contains the search text.

Print

Use one of the Print options to print or save the contents of the log.

Related Documents