Chat now with support
Chat with Support

Change Auditor 7.0.3 - User Guide

Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Disable Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags

Menu commands

The Change Auditor commands are grouped under a menu on the menu bar. Some of these commands perform an action immediately; others display an additional dialog or open a wizard where you select options or specify additional information.

The following table provides a description of the commands available under each of the Change Auditor menus.

Table 1. Menu commands

Ctrl+O

Use to display the Connection screen to select the connection profile to be used to connect to a Change Auditor coordinator.

This command is only available when the client is disconnected from a coordinator.

Ctrl+D

Use to disconnect from the current coordinator.

 

Use to view one of the log files. Selecting this command will display the Open Log dialog allowing you to select the log file to be viewed. Once selected, a new tabbed page will be created in the client displaying the entries logged in the selected log.

 

Use to view the current client log. A new tabbed page will be created in the client displaying the entries logged to the current client log.

Ctrl+P

Use to send the contents of the displayed page to the designated printer. When you select this command, the native Print dialog will be displayed allowing you to specify various print options.

Ctrl+Shift+F

Use to save the contents of the displayed page to either an Excel (.xls) or comma delimited (.csv) file. When you select this command, the native Save As dialog will be displayed allowing you to specify the location, file name and type of file to be created.

Ctrl+Shift+D

Use to save the contents of the displayed page to a PDF file. When you select this command, the native Save As dialog will be displayed allowing you to specify the location and file name.

Ctrl+Shift+P

Use to preview the contents of the displayed page prior to printing it.

Ctrl+Shift+U

Use to define the page settings for printing. Selecting this command will display the native Page Setup dialog allowing you to define the paper, page orientation and margins.

Ctrl+Q

Use to close the client.

Ctrl+X

Use to move the selected item (folder or search definition) to a different location in the explorer view (left pane) on the Searches page. Once cut, this item can then be pasted (or moved) to another location.

Ctrl+C

Use to copy the selected item (folder or search definition) to another location in the explorer view (left pane) on the Searches page. Once copied, a copy of this item can be pasted to another location.

Ctrl+V

Use to paste the contents of the clipboard (folder or search definition) to the selected location.

 

Use to remove the selected user-defined item (folder or search definition).

 

Use to move the selected item (folder or search definition) to another location in the explorer view (left pane) on the Searches page. Selecting this command will display the Select the Destination Folder dialog allowing you to select the new location.

F5

Use to retrieve and redisplay current data.

Ctrl+F

Use to resize the columns based on the content, which will eliminate the scroll bars.

 

Use to close multiple client windows and return to a single client window.

 

Use to display the XML tab, which displays the XML representation of a selected search criteria, at the end of the Search Properties tabs.

 

Use to display the SQL tab, which displays the SQL query built to run a selected search, at the end of the Search Properties tabs.

 

Use to enable or disable the auto connect feature. When enabled, the Connection Profile dialog will not be displayed when the client is launched. Instead, the previously specified connection profile will automatically be used to connect to the coordinator.

 

Use this to disconnect from the client after 30 minutes of inactivity. If this option is not checked, the connection to the coordinator remains open.

 

Use to hide (or display) the desktop notification that is displayed in the lower right-hand corner of the screen whenever an agent is connected or disconnected from the coordinator, or when the coordinator is stopped or started.

NOTE: Agent Notifications is enabled by default.

 

Use to enable or disable the refreshing of the currently displayed grid (on the Deployment, Overview or Agent Statistics page) when an agent either connects or disconnects.

NOTE: Agent Auto Refresh is enabled by default.

 

Use to hide unlicensed components from the Administration Tasks tab and unlicensed events throughout the client.

 

Use to export the Administration settings, such as configurations and settings, and auditing and protection templates, into an XML file. Selecting this command displays an Export dialog allowing you to select the settings/templates to be exported.

 

Use to import previously exported Administration settings. Selecting this command displays an Import dialog allowing you to select the settings/templates to be imported.

Ctrl+F8

Use to display the Deployment page, from which you can deploy agents.

Ctrl+F9

Use to display the Overview page, which displays the results of your favorite search as well as an overview of the following information:

Ctrl+F10

Use to display the Searches page, from which you can run searches, define new searches and enable alerting.

Ctrl+F11

Use to display the Agent Statistics page which provides a global view of all your agents, providing you with their current status and statistics.

Shift+F11

Use to display the Coordinator Statistics page which provides coordinator status, database information and agent connection, event and alert data.

Ctrl+F12

Use to display the Administration Tasks tab which provides a single location where you can perform various administrative tasks related to configuring Change Auditor, customizing the auditing process and defining protection.

 

Use to close all open windows.

 

The remainder of this menu lists all of the windows that are currently opened in the client. A check mark to the left of a window indicates the window that is currently active.

 

Use to display the Quest Change Auditor dialog which displays the following information:

The About tab displays the current version, patent, trademark and copyright statements.
The License tab provides license compliance information.
The Legal Notices tab displays acknowledgments for third party components that are used in Change Auditor
The Contact tab provides contact information for technical support, product questions and sales.

F1

Use to display the contents and initial screen of the online help.

Tool bar buttons

The following table lists all of the commands available on the various tool bars in the client. It lists the commands/buttons in alphabetical order and provides a brief description of each command.

Add

Depending on the page, use to add an entry to a search criteria list, add an object to an auditing list, define a new template, create a scheduled purge job, etc.

Most Administration Tasks pages

Add

Use the Add options as defined below:

Add Role Definition - use to define a new role defining who is authorized to perform the selected tasks and/or operations.
Add Task Definition - use to define a new task defining the operations that can be performed.
Add Application Group - use to define a new Authorization Manager Application Group.

Application User Interface page

Add

Use to add an entity (subsystem, event class, object class, severity or results) to the What search criteria list or purge criteria.

What tab

Add with Events

Use to add an entity that already has an event associated with it in the coordinator database to the What search criteria list or purge criteria.

What tab

Add with Events

Use to add an entity that already has an event associated with it in the coordinator database to the search or purge criteria.

Who tab

Where tab

Origin tab

Add | Add Wildcard Expression

Use to specify a wildcard expression for the search criteria or purge criteria.

Who tab

Where tab

Add | Add Server Types

Use to specify a server type for the search criteria or purge criteria.

Where tab

Add | Exclude

Use to exclude a mailbox from Exchange auditing.

Exchange Mailbox Auditing page

Add | Select Multiple Objects

Use to define custom Active Directory and ADAM auditing - defining the objects, classes and/or attributes to be audited by Change Auditor.

Active Directory Auditing page

ADAM (AD LDS) Auditing page

Advanced Options | Advanced Options

Use to display the Advanced Deployment Options dialog where you can view or modify the following settings:

Deployment page

Advanced Options | ActiveRoles Integration

Use the Active Roles integration options as described below:

Deploy Scripts Only - use to copy and run the Active Roles integration scripts on the Active Roles server. These scripts instruct Active Roles to capture the initiator information for all users and pass this information onto Change Auditor.
Deploy Scripts and Excluded Accounts - use to specify user and computer accounts that are to be excluded from this integration. Change Auditor then deploys the Active Roles integration scripts that signal Active Roles to retrieve the initiator information for all users except for those specified for exclusion.

Refer to the Quest Change Auditor Installation Guide for more information on Active Roles integration.

Deployment page

Alert Properties

Use to display the Alert properties across the bottom of the Alert History page.

Alert History page

Apply Changes

Use to save your coordinator configuration settings.

Coordinator Configuration page

Assign

Use to assign an agent configuration to the selected agents or to assign a template to an agent configuration.

Agent Configuration page

Excluded Accounts Auditing page

SQL Auditing page

File System Auditing page

Registry Auditing page

Services Auditing page

File System Protection page

Comments

Use to enter a comment for the selected event.

Event Details pane

Configurations

Use to display the Configuration Setup dialog to add, edit or delete agent configuration definitions.

Agent Configuration page

Connect To

Use this button to select the domain controller to be used to apply ACLs or to revert back to the client’s default global catalog.

Active Directory Protection page

Group Policy Protection page

Copy

Use to copy the displayed event details to the clipboard.

Log pages

Event Details pane

SQL tab

XML tab

Credentials

Use to set, clear or test the credentials to be used for installing agents on the selected domain.

Deployment page

Default

Use to reset the severity and enabled settings of the selected events back to the factory defaults.

Audit Events page

Default All

Use to reset all agent configurations back to the default configuration.

Agent Configuration page

Delete

Use to remove the selected entry from the list.

Application User Interface page

Member of Group Auditing page

Excluded AD Query Auditing page

Exchange Mailbox Auditing page

Purge Jobs page

Report Layouts page

Who tab

Where tab

Origin tab

Delete | Delete Administration Account

Use to remove the selected administration account from an Active Directory, ADAM (AD LDS), or Group Policy protection template.

Active Directory Protection page

ADAM (AD LDS) Protection page

Group Policy Protection page

Delete | Delete Agent

Use to remove the selected agent from an EMC or NetApp auditing template.

EMC Auditing page

NetApp Auditing page

Delete | Delete Excluded Account

Use to remove the selected account from an Excluded Accounts auditing template.

Excluded Accounts Auditing page

Delete | Delete File Path

Use to remove the selected file path from a File System auditing or protection template, an EMC auditing template or a NetApp auditing template.

File System Auditing page

EMC Auditing page

NetApp Auditing page

Delete | Delete Object

Use to remove the selected object from custom Active Directory or ADAM auditing; an Active Directory, ADAM (AD LDS) or Group Policy protection template.

Active Directory Auditing & Protection pages

ADAM (AD LDS) Auditing & Protection pages

Group Policy Protection page

Delete | Delete Object Class

Use to remove the selected object class from the Active Directory or ADAM (AD LDS) auditing list.

Active Directory Auditing page

ADAM (AD LDS) Auditing page

Delete | Delete Override Account

Use to remove the selected override account from a protection template.

Protection pages

Delete | Delete Path

Use to remove the selected path from the auditing template.

SharePoint Auditing page

Delete | Delete Registry Key

Use to remove the selected registry key from a Registry auditing template.

Registry Auditing page

Delete | Delete Service

Use to remove the selected service from a Service auditing template.

Service Auditing page

Delete | Delete SQL Instance

Use to remove the selected SQL instance from a SQL auditing template.

SQL Auditing page

Delete | Delete Template

Use to remove the selected auditing or protection template.

Auditing pages

Protection pages

Delete Criteria

Use to remove the selected entry from the What search criteria list.

What tab

Design Report

Use to launch the report designer to create a custom report layout for a selected search query.

Report tab

Disable

Use to disable the selected events.

Event Details pane

Audit Events page

Disable Alert

Used to disable a private alert.

Private Alerts and Reports page

Disable Report

Used to disable a private report.

Private Alerts and Reports page

Edit

Use to modify the selected item.

Most Administration Tasks pages, including:

Edit Event Class

Use to modify the selected entry in the What search criteria list.

What tab

Edit Logon

Use to modify the type of logons included in a logon search.

What tab

Email

Use to launch the configured email client to email the selected event details.

Event Details pane

Enable

Use to enable the selected events.

Audit Events page

Event Details pane

Event Details

Use to display the Event Details pane across the bottom of the Overview pane, Search Results page, or Alert History page.

Overview page

Search Results page

Alert History page

Event Logging

Use to enable or disable event logging.

Agent Configuration page

Explorer View

Use to show the explorer view in the left-hand pane of the Searches page.

Searches page

Find

Use to search for text in the currently displayed trace log. Enter a word or string of characters to be located.

Log pages

Force Refresh

Use to force a topology harvest refresh to discover new servers added to the Active Directory forest and display them on the Deployment page.

Deployment page

Grid View

Use to hide the explorer view and display only the Searches list on the Searches page.

Searches page

Hide Properties

Use to hide the Search Properties tabs across the bottom of the Searches page.

Use to hide the Resource Properties pane across the bottom of the Agent Statistics page.

Searches page

Agent Statistics page

Hide Uninstalled Agents

Use to remove uninstalled agents from the current Agent Statistics view.

Agent Statistics page

Hide Uninstalled Coordinators

Use to remove uninstalled coordinators from the current Coordinator Statistics view.

Coordinator Statistics page

High/Medium/Low

Use to change the severity level assigned to the selected events.

Audit Events page

Install or Upgrade

Use to install or upgrade an agent on the selected servers.

Deployment page

Knowledge Base

Use to display the associated Event Reference Guide.

Audit Events page

Event Details pane

Logs

Use the Log options as described below:

Open Log - use to retrieve a Change Auditor trace log file and display it in the client.
Get All Logs - use to retrieve any associated logs and save them to a specified location on the local machine.
View Agent Log - use to display the current Change Auditor agent trace log in the Change Auditor client.
View Coordinator Log - use to display the current coordinator trace log in the client.

Agent Configuration page

Agent Statistics page

Coordinator Statistics page

Deployment page

Match Case

Use to locate log entries that match the case that was entered in the search text.

Log pages

New

Use the New options as described below:

New Folder - use to create a new folder in the explorer view of the Searches page.
New Search - use to create a new search definition.

Searches page

New Servers

Use to enable or disable the automatic deployment of agents to new servers found in your Active Directory forest.

Deployment page

Next

Use to move to the next log entry that contains the search text.

Log pages

Overviews

Use to display the Overview panes across the bottom of the Overview page.

Overview page

Preview Changes

Use to run the search based on the changes made to the search query and display the results in the current Search Results page.

Search Properties tabs (Search Results page)

Preview Report

Use to display a query results report.

Report tab

Previous

Use to move to the previous log entry that contains the search text.

Log pages

Print

Use the print options to print or save the contents of the displayed page.

Print - use to send the contents of the active page to a designated printer.
Print to File - use to save the contents of the active page to either an Excel (.xls) or comma delimited (.csv) file.
Print to PDF - use to save the contents of the active page to a PDF file.
Print Preview - use to display the print layout of the active page prior to printing it.
Page Setup - use to define the page settings for printing.

All pages

Protect Object

Use to protect Active Directory objects, ADAM (AD LDS) objects, Group Policy Objects, Exchange mailboxes, File System files and folders against unauthorized modifications.

Event Details pane

Refresh

Use to retrieve and display the latest data available.

Overview page

Log pages

Refresh Configuration

Use to retrieve the current agent configuration assignments.

Agent Configuration page

Refresh Status

Use to refresh the deployment status of the selected servers.

Deployment page

Related Search

Use to view additional details about the user who initiated the change, view resource details about the machine where the change occurred, or run related searches based on the who, where, what, when or origin of an event.

Event Details pane

Restart Agent

Use to stop and then restart an agent. This button is only available when an agent is in an ‘active’ state.

Agent Statistics page

Restore Value

Use to restore the current value (To value) to a its previous value (From value).

Event Details pane

Run

Use to run the selected search and display the events returned in a new Search Results page.

Searches page

Search Properties tabs

Save

Use to save a newly created search or modifications made to a search definition.

Search Properties tabs

Save As

Use the Save As options as described below:

Save As - use to save the search definition using a different name and/or location.
Save As Default - use to save the search definition as the new default for creating new searches.

Search Properties tabs

Search Properties

Use to display the Search Properties tabs across the bottom of the page.

Search Results page

Select All

Use to select all the entries in the currently displayed trace log, which can then be copied for use in another application.

Log pages

Set Agent Uninstalled

Use to flag the selected agent as ‘uninstalled’.

Agent Statistics page

Set Coordinator Uninstalled

Use to flag the selected coordinator as ‘uninstalled’.

Coordinator Statistics page

Shared Mailboxes

Use to view automatically detected shared mailboxes or to define a shared mailbox on the Exchange Mailbox auditing page.

Exchange Mailbox Auditing page

Show Matched Entries Only ()

Use to display only the log entries that match the word/string of characters entered in the search text.

Log pages

Show Properties

Use to display the Search Properties tabs across the bottom of the Searches page.

Use to display the Resource Properties pane across the bottom of the Agent Statistics page.

Searches page

Agent Statistics page

Show Uninstalled Agents

Use to include uninstalled agents in the current Agent Statistics view.

Agent Statistics page

Show Uninstalled Coordinators

Use to include uninstalled coordinators in the current Coordinator Statistics view.

Coordinator Statistics page

Start Agent

Use to start a stopped agent. This button is only available when an agent is in an ‘inactive’ state.

Agent Statistics page

Stop Agent

Use to stop an agent. This button is only available when an agent is in an ‘active’ state.

Agent Statistics page

Test SMTP

Use to generate a test email based on the configuration information entered in the SMTP Configuration pane.

Coordinator Configuration page

Test SNMP

Use to generate a test SNMP trap based on the configuration information entered in the SMTP Configuration pane.

Coordinator Configuration page

Uninstall

Use to uninstall the agent from the selected servers.

Deployment page

Right-click commands

The following table lists the commands which are available through right-click functionality. The commands are listed in alphabetical order with a reference to the pages from which they can be accessed.

Add Application Group

Administration Tasks tab:

Add Task Definition

Administration Tasks tab:

Add Role Definition

Administration Tasks tab:

Alert

Enable Transport

Disable Transport

Disable Alert

History

Delete History

Searches page - Search definition (right pane)

NOTE: The History and Delete History options are only displayed when alerting has been enabled for a search.

All Results

Administration Tasks tab:

Assign

Administration Tasks tab:

Assign to Configuration

Administration Tasks tab:

Audit

Exchange Mailbox Auditing page - excluded mailbox

Clear Result

Deployment page - agent

Collapse All

Searches page - folder (left pane)

Comments

Overview page - event (data grid)

Search Results page - event (data grid)

Copy

Administration Tasks tab:

Event Details pane (text boxes)

Overview page - event (data grid)

Search Properties tabs:

Searches Results page - event (data grid)

Searches page:

Credentials

Deployment page - agent

Cut

Administration Tasks tab:

Search Properties tabs:

Searches page:

Delete

Administration Tasks tab:

Search Properties tabs:

Searches page:

Disable

Administration Tasks tab:

Overview page - event (data grid)

Search Results page - event (data grid)

Disable Alert

Private Alerts and Reports page

Disable Report

Private Alerts and Reports page

Edit

Administration Tasks tab:

Email

Overview page - event (data grid)

Search Results page - event (data grid)

Enable

Administration Tasks Tab:

Overview page - event (data grid)

Search Results page - event (data grid)

Event Details

Overview page - event (data grid)

Search Results page - event (data grid)

Exclude

Exchange Mailbox Auditing page - audited mailbox

Expand All

Searches page - folder (left pane)

Export

Searches page:

Hide Properties

Searches page:

Agent Statistics page - agent

High/Medium/Low

Administration Tasks tab:

Import Folder

Searches Page - folder (left pane)

Import Search

Searches Page - folder (left pane)

Install or Upgrade

Deployment page - agent

Knowledge Base

Administration Tasks Tab:

Overview page - event (data grid)

Search Results page - event (data grid)

Logs

Agent Statistics page - agent

Coordinator Statistics page - coordinator

Deployment page - agent

Move

Searches page:

New

Searches Page:

Overviews

Overview page - event (data grid)

Paste

Administration Tasks tab:

Search Properties tabs:

Searches page:

Publish to Quest Knowledge Portal

Searches page:

Redo

Administration Tasks tab:

Search Properties tabs:

Refresh Configuration

Administration Tasks tab:

Refresh Status

Deployment page - agent

Rename

Searches page - folder (left pane)

Report

Searches page - search definition (right pane)

Restart Agent

Agent Statistics page - agent

Run

Searches page - Search definition (right pane)

Scope

Exchange Mailbox Auditing page - audited mailbox

Search Properties

Search Results page - event (data grid)

Security

Active Directory Protection page - object

Group Policy Protection page - object

Select All

Administration Tasks tab:

Event Details pane - text boxes

Search Properties tabs:

Set Agent Uninstalled

Agent Statistics page - agent

Set As My Favorite

Searches page - Search definition (right pane)

Set Coordinator Uninstalled

Coordinator Statistics page - coordinator

Show Properties

Searches page

Agent Statistics page -agent

Start Agent

Agent Statistics page - agent

Stop Agent

Agent Statistics page - agent

Success Only

Administration Tasks tab:

Success and Protected Only

Administration Tasks tab:

Success and Failed Only

Administration Tasks tab:

Undo

Administration Tasks tab:

Search Properties tabs:

Uninstall

Deployment page - agent

 

Change Auditor Email Tags

The Alert Body Configuration dialog allows you to edit the plain text and the HTML representation of alert emails. It consists of the following tabbed pages:

Preview - is for previewing a sample of what your customized email will look like.
Main Body - to define the overall content and layout of the alert email body.
Event Details - to define the details to be included for each event included in the alert email.
Signature - to define the signature line to be included.

The text entered in the these tabs is sent when the alert triggers, with the exception of the variable tags (%xxx%). These tags are used to retrieve information from Change Auditor. The following tags are used and should not be modified.

%ALERT_COORDINATOR_DOMAIN%

The name of the domain where the coordinator that generated the alert resides.

%ALERT_COORDINATOR_NAME%

The name of the coordinator generating the alert.

%ALERT_NAME%

The name of the alert that fired.

%ALERT_TIME_SENT%

The date and time when the alert fired.

%ALERT_TYPE%

The type of alert: Smart Alert or Alert.

%BATCH_ID%

The batch ID for all alerts grouped into a single smart alert email.

%EVENT_COUNT%

The number of events grouped into a single smart alert email.

%SMART_ALERT%

Indicates whether this is a smart alert email.

%SMART_ALERT_GROUPING%

Indicates whether this is a smart alert email and on a single object.

%SMART_ALERT_OCCURRENCE%

For smart alerts, the occurrence value specified in ‘Send alert when <nn> Events occur within <nn> <interval>’.

%SMART_ALERT_PERIOD%

For smart alerts, the period of time specified in ‘Send alert when <nn> Events occur within <nn> <interval>’.

%SMART_ALERT_PERIOD_UNIT%

For smart alerts, the time interval (minutes, hours or days) specified in ‘Send alert when <nn> Events occur within <nn> <interval>’.

%ACTIONNAME%

The action associated with the event (e.g., Modify Attribute).

%AD_SAMACCOUNTNAME%

For Active Directory events, the logon name of the user who initiated the change event.

%AD_USERPRINCIPALNAME%

For Active Directory events, the user principal name (UPN) of the user who initiated the change event.

%ADAM_CONFIGURATIONSET%

For ADAM (AD LDS) events, the name of the configuration set that holds the ADAM instance where the change occurred.

%ADAM_INSTANCENAME%

For ADAM (AD LDS) events, the name of the ADAM instance where the change occurred.

%ADAM_INSTANCEPORT%

For ADAM (AD LDS) events, the communications port used by the ADAM instance where the change occurred.

%ADAM_PARTITIONNAME%

For ADAM (AD LDS) events, the name of the directory partition where the change event occurred.

%ALERT_COORDINATOR_DOMAIN%

The name of the domain where the coordinator that generated the alert resides.

%ALERT_COORDINATOR_NAME%

The name of the coordinator generating the alert.

%ALERT_NAME%

The name of the alert that fired.

%ALERT_TIME_SENT%

The date and time when the alert fired.

%ALERT_TYPE%

The type of alert: Smart Alert or Alert.

%ATTRIBUTENAME%

For Active Directory and ADAM (AD LDS) events, the name of the schema attribute that was modified (e.g., displayName).

For File System events, the name of the file or folder attribute that was modified.

%BATCH_ID%

The batch ID assigned to all alerts grouped into a single smart alert email.

%COMMENT%

Any comments for the event which were entered using the Comments feature on the Event Details pane.

%DOMAINCONTROLLER%

Indicates whether the agented server is a domain controller.

%DOMAINDN%

The distinguished name (DN) of the domain to which the agent that generated the alert belongs.

%DOMAINFQDN%

The fully qualified domain name (FQDN) of the domain to which the Change Auditor agent that generated the alert belongs.

%DOMAINNAME%

The name of the domain to which the agent that generated the alert belongs.

%EVENT_COUNT%

The number of events grouped into a smart alert email.

%EVENTCLASSNAME%

The event name.

%EVENTMESSAGE%

The actual event that triggered the alert.

%EVENTSOURCE%

Indicates the application where the change event came from: Change Auditor, Active Roles, or GPOADmin.

%EXCHANGE%

Indicates whether the agented server is an Exchange server.

%FACILITYNAME%

The name of the event class facility to which the event belongs (e.g., Domain Configuration).

%FORESTNAME%

The name of the forest where the agent that captured the event resides.

%FS_ATTRIBUTENAME%

For File System events, the name of the attribute that was modified.

%FS_FILENAME%

For File System events, the name of the file that was modified.

%FS_FILESERVER%

For File System events, the name of the server where the file or folder that was modified resides.

%FS_FILESYSTEMTYPEID%

For File System events, the type of object (File or Folder) that was modified.

%FS_FOLDERPATH%

For File System events, the full path of the file or folder where the modification occurred.

%FS_LOGONID%

For File System events, the logon ID of the user who made the change.

%FS_PRIMARYSID%

For File System events, the SID of the user who made the change.

%FS_PROCESSNAME%

For File System events, the full path of the application responsible for the change.

%FS_SHARENAME%

For File System events, the name of the local share that was modified.

%FS_TRANSACTIONID%

For File System Transaction Status Changed events, the identification number assigned to a transaction.

%FS_TRANSACTIONSTATUS%

For File System Transaction Status Changed events, the current status of the transaction.

%GLOBALCATALOG%

Indicates whether the agented server is a Global Catalog.

%GPO_POLICYCANONICAL%

For Group Policy events, the canonical name (CN) of the group policy that was modified.

%GPO_POLICYITEM%

For Group Policy events, the group policy item that was modified.

%GPO_POLICYNAME%

For Group Policy events, the name of the group policy that was modified.

%GPO_POLICYSECTION%

For Group Policy events, the section of the group policy that was modified.

%INITIATORMAIL%

For events generated by Active Roles or GPOAdmin, the email address of the user that initiated the change event.

%INITIATORSID%

For events generated by Active Roles or GPOAdmin, the SID of the user that initiated the change event.

%INITIATORUSERNAME%

For events generated by Active Roles or GPOADmin, the name of the user that initiated the change event.

%IPADDRESS%

The IP address of the Change Auditor agent that generated the alert.

%LDAP_ATTRIBUTES%

For AD Query events, the attributes that were queried.

%LDAP_ELAPSED%

For AD Query events, how long the AD query took to run.

%LDAP_FILTER%

For AD Query events, the filter string used in the AD query.

%LDAP_OCCURRENCES%

For AD Query events, the number of times the AD query occurred during the specified interval.

%LDAP_RESULTS%

For AD Query events, the number of results returned as a result of the query.

%LDAP_SCOPE%

For AD Query events, the scope of coverage: This object only or This object and all children.

%LDAP_SINCE%

For AD Query events, the date and time when the AD query was first initiated.

%LDAP_TYPE%

For AD Query events, the type of query: LDAP or GC.

%LOGON_DURATION%

For Logon Session events, how long the user session lasted or how long the user was actually logged onto the computer (depends on the event).

%LOGON_END%

For Logon Session events, the date and time when the user logged out of the computer.

%LOGON_SESSIONEND%

For Logon Session events, the date and time when the current user session ended.

%LOGON_SESSIONSTART%

For Logon Session events, the date and time when the current user session began.

%LOGON_START%

For Logon Session events, the date and time when the user initially logged onto the computer.

%LOGON_TYPE%

For Logon Activity events, the type of logon that occurred:

%OBJECTCANONICAL%

For Active Directory and ADAM (AD LDS) events, the canonical name of the object that was modified.

For Group Policy events, the canonical name of the group policy that was modified.

For AD Query events, the LDAP object canonical name of the object that was queried.

%OBJECTCLASS%

For Active Directory and Exchange events, the object class that was modified (e.g., groupPolicyContainer).

For ADAM (AD LDS) events, the object class that was modified (e.g., container, user, group).

For AD Query events, the object class that was queried.

%OBJECTNAME%

For Active Directory and Exchange events, the name of the object that was modified.

For ADAM (AD LDS) events, the distinguished name of the object that was modified.

For Group Policy events, the name of the group policy that was modified.

For AD Query events, the name of the object that was queried.

%ORGANIZATIONALUNIT%

For Active Directory and ADAM (AD LDS) events, the OU associated with the object that was modified.

For Group Policy events, the name of the OU that is linked to the group policy that was modified.

For AD Query events, the name of the OU associated with the LDAP query.

%OSVERSION%

Indicates the operating system version of the machine where the modification occurred.

%REGISTRYKEY%

For Registry events, the name of the registry key that was modified.

%REGISTRYVALUE%

For Registry events, the registry value that was modified.

%RESULTNAME%

Indicates the result of the operation mentioned in the event:

%SAM_PRINCIPALNAME%

The logon name of the local account that initiated the change event.

%SAM_PRINCIPALTYPE%

The type of local account that initiated the change event.

%SERVERDN%

The distinguished name (DN) of the agented server that captured the event.

%SERVERFQDN%

The fully qualified domain name (FQDN) of the agented server that captured the event.

%SERVERNAME%

The name of the agented server where the change occurred.

%SERVEROU%

The name of the organizational unit where the agented server resides.

%SERVICE_DISPLAYNAME%

For Service events, the display name of the service that was modified.

%SERVICE_NAME%

For Service events, the name of the service that was modified.

%SEVERITYNAME%

The severity assigned to the change event: High, Medium or Low.

%SHAREPOINT_FARMNAME%

For SharePoint events, the name of the SharePoint farm where the modification occurred.

%SHAREPOINT_ITEMNAME%

For SharePoint events, the name of the SharePoint item (e.g. document, folder, list item) that was modified.

%SHAREPOINT_ITEMURL%

For SharePoint events, the URL of the SharePoint item that was modified.

%SHAREPOINT_LISTNAME%

For SharePoint events, the name of the SharePoint list that was modified.

%SHAREPOINT_LISTPATH%

For SharePoint events, the full path of the SharePoint list where the modification occurred.

%SHAREPOINT_WEBNAME%

For SharePoint events, the name of the web site where the modification occurred.

%SHAREPOINT_WEBURL%

For SharePoint events, the URL of the web site where the modification occurred.

%SIGNSEAL%

For Active Directory and AD Query events, indicates whether the LDAP operation or LDAP query is signed using Kerberos-based encryption.

%SITEDN%

The distinguished name (DN) of the site where the agented server resides.

%SITENAME%

The name of the site where the agented server resides.

%SMART_ALERT%

Indicates whether this is a smart alert email.

%SMART_ALERT_GROUPING%

Indicates whether this is a smart alert email and on a single object.

%SMART_ALERT_OCCURRENCE%

For smart alerts, the occurrence value specified in ‘Send alert when <nn> Events occur within <nn> <interval>’.

%SMART_ALERT_PERIOD%

For smart alerts, the period of time specified in ‘Send alert when <nn> Events occur within <nn> <interval>’.

%SMART_ALERT_PERIOD_UNIT%

For smart alerts, the time interval (minutes, hours or days) specified in ‘Send alert when <nn> Events occur within <nn> <interval>’.

%SQL_APPLICATIONNAME%

For SQL events, the name of the client application that initiated the change event.

%SQL_CLIENTPROCESSID%

For SQL events, the identification number associated with the client process that initiated the change event.

%SQL_DATABASEID%

For SQL events, the identification number associated with the SQL database used by the process that initiated the change event.

%SQL_DATABASENAME%

For SQL events, the name of the SQL database used by the process that initiated the change event.

%SQL_EVENTCLASS%

For SQL events, the SQL Server operation (event class) that was performed.

%SQL_EVENTSUBCLASS%

For SQL events, the type of event subclass that was performed.

%SQL_HOSTNAME%

For SQL events, the name of the client workstation that initiated the session.

%SQL_INSTANCENAME%

For SQL events, the name of the SQL instance where the change event occurred.

%SQL_ISSYSTEM%

For SQL events, indicates whether a system session initiated the change.

%SQL_LINKEDSERVERNAME%

For SQL events, the name of the linked server.

%SQL_OBJECTID%

For SQL events, the object identifier associated with the SQL object that was changed.

%SQL_OBJECTID2%

For SQL events, the object identifier of related objects or entities, if available.

%SQL_OBJECTNAME%

For SQL events, the name of the SQL Server object that was changed.

%SQL_OBJECTTYPE%

For SQL events, the type of SQL Server object that was changed.

%SQL_OWNERID%

For SQL lock events, the type of object that owns a lock.

%SQL_OWNERNAME%

For SQL events, the database user name of the object owner.

%SQL_PARENTNAME%

For SQL events, the name of the schema in which the object that changed resides.

%SQL_PROVIDERNAME%

For SQL events, the name of the OLEDB provider.

%SQL_ROWCOUNTS%

For SQL events, the number of rows returned by the SQL query.

%SQL_SESSIONLOGINNAME%

For SQL events, the SQL Server login name used by the client to create the session.

%SQL_SPID%

For SQL events, the SQL Server Process ID associated with the process that initiated the change.

%SQL_SUCCESS%

For SQL events, indicates whether the event was successful.

%SQL_TEXTDATA%

For SQL events, the character string used in the SQL query.

%SSLTLS%

For Active Directory or AD Query events, indicates whether the LDAP operation or LDAP query is secured using SSL or TLS technology.

%SUBSYSTEMNAME%

The subsystem, or area of auditing, where the change event occurred (e.g., Active Directory, Service, Group Policy).

%TIMEBATCHED%

The UTC date and time when the batch of events were sent from the agent to coordinator.

%TIMEDETECTED%

The UTC date and time when the agent captured the event.

%TIMEOFDAY%

The UTC time (no date) when the event the agent captured the event.

%TIMERECEIVED%

The UTC date and time when the event was received by Change Auditor.

%TIMEZONE%

The name of the time zone used for the alert’s date/time stamps in the email.

%TIMEZONETIMEDETECTED%

The date and time when the Change Auditor agent captured the event, based on the selected time zone.

%TIMEZONETIMERECEIVED%

The date and time when the event was received by Change Auditor, based on the selected time zone.

%USERADDRESS%

The machine name or IP address of the machine where the change originated.

%USERADDRESSIPV4%

The IPv4 IP address of the machine where the change originated.

%USERADDRESSIPV6%

The IPv6 IP address of the machine where the change originated.

%USERDISPLAY%

The display name of the user who initiated the change.

%USERMAIL%

The email address of the user that initiated the change.

%USERNAME%

The NT4 logon name (domain\name) of the user who initiated the change.

%USERSID%

The security identifier (SID) assigned to the user who initiated the change.

%VALUENEW%

The new value that is now assigned to the object.

%VALUEOLD%

The old value that was assigned to the object.

%VMWARE_COMPUTERESOURCE%

For VMware events associated with compute resources, the name of the compute resource where the change occurred.

%VMWARE_DATACENTER%

For VMware events, the name of the datacenter object where the modification occurred.

%VMWARE_DS%

For VMware events associated with datastore objects, the name of the datastore where the change occurred.

%VMWARE_DVS%

For VMware events associated with a Distributed Virtual Switch (DVS), the name of the DVS where the change occurred.

%VMWARE_HOST%

For VMware events, the name or IP address of the host being audited (as specified in the VMware Auditing template).

%VMWARE_NET%

For VMware events, the name of the network object where the change occurred.

%VMWARE_VM%

For VMware events, the name of the virtual machine where the modification occurred.

%VMWARE_VMWAREHOSTNAME%

For VMware events, the name of the host where the modification occurred.

The event details defined in the Event Details tab are placed in the Main Body pane using the following tag:

This tag should NOT be removed from the Main Body tab if you want to include the event details in the alert emails.

Related Documents