Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

Change Auditor 7.0.4 - User Guide

Table of Contents

Change Auditor Overview

Available Change Auditor auditing modules

Agent Deployment

Deployment page Deploy agents Change the agent installation location and system tray option Enable auto deployment Refresh or clear Deployment page information

Change Auditor Client Overview

Starting the Change Auditor client Accessing Change Auditor news and updates Managing connection profiles

Connection wizard

Client components Customize table content

Sort data Resize or move columns Add or remove columns Group data

Using custom filters

Directory object picker

Overview My Favorite Search Define a favorite search Overview panes

Top Agent Activity Recent Event Activity Count of Events By Agent Status Coordinator Status

Event Details pane

Introduction Searches page

Explorer view Searches list Search Properties tabs

View a list of available searches Run searches Run a quick search

Search Results and Event Details

Introduction Search Results page

Search Results grid Search Properties tabs Event Details pane

View search results

Display results in different formats

Preview search results Compare results side-by-side View event details or search properties Copy event details Email event details Display event's knowledge base entry Add comments View user context and run related searches Protect critical objects, mailboxes, files and folders Add search properties to existing event queries

Custom Searches and Search Properties

Introduction Create a custom search Search Properties tabs

Info tab Who tab What tab Where tab When tab Origin tab Alert tab Report tab Layout tab SQL tab XML tab

Enable Alert Notifications

Introduction Alert tab (Search Properties tabs) Enable alerts Disable alerts Alert History page View alert history View event details or alert properties

Administration Tasks

Administration Tasks tab Administration Task lists Export/import Administration Task settings

Agent Configurations

Introduction Agent Configuration page Define agent configurations Assign agent configurations to server agents Enable event logging

Coordinator Configuration

Coordinator Configuration page SMTP Configuration Configure email alert notifications/reports Customize alert email content Shared Folder Configuration Group Membership Expansion Add groups to Group Membership Expansion list Agent Heartbeat Check Disconnect client after 30 minutes of inactivity Scheduled Task Handling

Purging and Archiving your Change Auditor Database

Introduction Planning your jobs Purge and Archive page Create and maintain jobs Purge and Archive wizard Purge selected records

Disable Private Alerts and Reports

Introduction Private Alerts and Reports page Disable private alerts and reports

Generate and Schedule Reports

Schedule reports for distribution

Create global report template Define report content and layout Enable and schedule reporting

Launch Report Designer Publish reports Print or save a page's contents

SQL Reporting Services Configuration

Introduction SQL Reporting Services Page SQL Reporting Services Templates SQL Reporting Services Wizard

Change Auditor User Interface Authorization

Introduction Application User Interface Authorization page Add task definition Add role definition Add application group Remove a task definition

Client Authentication

Introduction Client Authentication Page Changing the client authentication method

Integrating with On Demand Audit

Managing a Quest On Demand Audit integration

Creating an On Demand Audit configuration Working with an On Demand Audit configuration

Enable/Disable Event Auditing

Introduction Audit Events page Enable/disable event auditing Modify event's severity level or event class description Define events to be captured based on results View event information

Account Exclusion

Introduction Excluded Accounts Auditing page Excluded Accounts templates Excluded Accounts wizard

Registry Auditing

Introduction Registry Auditing page Registry Auditing templates Registry Auditing wizard

Service Auditing

Introduction Services Auditing page Service Auditing templates Service Auditing wizard

Agent Statistics and Logs

Introduction Agent Statistics page

Agent Statistics grid Resource Properties pane

Machine Info page Processors page Drives page Shares page Services page Exchange Mailboxes page

Agent system tray icon

Change Auditor Agent Status dialog

View agent status/statistics Manage Change Auditor agents Agent Log page View and save agent trace logs

Coordinator Statistics and Logs

Introduction Coordinator Statistics page Coordinator system tray icon

Change Auditor Coordinator Status dialog Coordinator Configuration tool

View coordinator status and statistics Manage Change Auditor coordinators Coordinator Log page View and save coordinator trace logs

Change Auditor Commands

Menu commands Tool bar buttons Right-click commands

Change Auditor Email Tags

Change Auditor Email Tags

The Alert Body Configuration dialog allows you to edit the plain text and the HTML representation of alert emails. It consists of the following tabbed pages:

•

Preview - is for previewing a sample of what your customized email will look like.

•

Main Body - to define the overall content and layout of the alert email body.

•

Event Details - to define the details to be included for each event included in the alert email.

•

Signature - to define the signature line to be included.

The text entered in the these tabs is sent when the alert triggers, with the exception of the variable tags (%xxx%). These tags are used to retrieve information from Change Auditor. The following tags are used and should not be modified.

Table 1. Tags valid in the Main Body tab
Email Tag:	Description:
%ALERT_COORDINATOR_DOMAIN%	The name of the domain where the coordinator that generated the alert resides.
%ALERT_COORDINATOR_NAME%	The name of the coordinator generating the alert.
%ALERT_NAME%	The name of the alert that fired.
%ALERT_TIME_SENT%	The date and time when the alert fired.
%ALERT_TYPE%	The type of alert: Smart Alert or Alert.
%BATCH_ID%	The batch ID for all alerts grouped into a single smart alert email.
%EVENT_COUNT%	The number of events grouped into a single smart alert email.
%SMART_ALERT%	Indicates whether this is a smart alert email.
%SMART_ALERT_GROUPING%	Indicates whether this is a smart alert email and on a single object.
%SMART_ALERT_OCCURRENCE%	For smart alerts, the occurrence value specified in ‘Send alert when <nn> Events occur within <nn> <interval>’.
%SMART_ALERT_PERIOD%	For smart alerts, the period of time specified in ‘Send alert when <nn> Events occur within <nn> <interval>’.
%SMART_ALERT_PERIOD_UNIT%	For smart alerts, the time interval (minutes, hours or days) specified in ‘Send alert when <nn> Events occur within <nn> <interval>’.

Table 2. Tags valid in the Event Details tab

The action associated with the event (e.g., Modify Attribute).

%AD_SAMACCOUNTNAME%

For Active Directory events, the logon name of the user who initiated the change event.

%AD_USERPRINCIPALNAME%

For Active Directory events, the user principal name (UPN) of the user who initiated the change event.

%ADAM_CONFIGURATIONSET%

For ADAM (AD LDS) events, the name of the configuration set that holds the ADAM instance where the change occurred.

%ADAM_INSTANCENAME%

For ADAM (AD LDS) events, the name of the ADAM instance where the change occurred.

%ADAM_INSTANCEPORT%

For ADAM (AD LDS) events, the communications port used by the ADAM instance where the change occurred.

%ADAM_PARTITIONNAME%

For ADAM (AD LDS) events, the name of the directory partition where the change event occurred.

%ALERT_COORDINATOR_DOMAIN%

The name of the domain where the coordinator that generated the alert resides.

%ALERT_COORDINATOR_NAME%

The name of the coordinator generating the alert.

The name of the alert that fired.

%ALERT_TIME_SENT%

The date and time when the alert fired.

The type of alert: Smart Alert or Alert.

%ATTRIBUTENAME%

For Active Directory and ADAM (AD LDS) events, the name of the schema attribute that was modified (e.g., displayName).

For File System events, the name of the file or folder attribute that was modified.

The batch ID assigned to all alerts grouped into a single smart alert email.

Any comments for the event which were entered using the Comments feature on the Event Details pane.

%DOMAINCONTROLLER%

Indicates whether the agented server is a domain controller.

The distinguished name (DN) of the domain to which the agent that generated the alert belongs.

The fully qualified domain name (FQDN) of the domain to which the Change Auditor agent that generated the alert belongs.

The name of the domain to which the agent that generated the alert belongs.

The number of events grouped into a smart alert email.

%EVENTCLASSNAME%

The event name.

The actual event that triggered the alert.

Indicates the application where the change event came from: Change Auditor, Active Roles, or GPOADmin.

Indicates whether the agented server is an Exchange server.

The name of the event class facility to which the event belongs (e.g., Domain Configuration).

The name of the forest where the agent that captured the event resides.

%FS_ATTRIBUTENAME%

For File System events, the name of the attribute that was modified.

For File System events, the name of the file that was modified.

%FS_FILESERVER%

For File System events, the name of the server where the file or folder that was modified resides.

%FS_FILESYSTEMTYPEID%

For File System events, the type of object (File or Folder) that was modified.

%FS_FOLDERPATH%

For File System events, the full path of the file or folder where the modification occurred.

For File System events, the logon ID of the user who made the change.

%FS_PRIMARYSID%

For File System events, the SID of the user who made the change.

%FS_PROCESSNAME%

For File System events, the full path of the application responsible for the change.

For File System events, the name of the local share that was modified.

%FS_TRANSACTIONID%

For File System Transaction Status Changed events, the identification number assigned to a transaction.

NOTE: Transaction Status events are only supported on Windows Server 2008 or newer OS.

%FS_TRANSACTIONSTATUS%

For File System Transaction Status Changed events, the current status of the transaction.

NOTE: Transaction Status events are only supported on Windows Server 2008 or newer OS.

%GLOBALCATALOG%

Indicates whether the agented server is a Global Catalog.

%GPO_POLICYCANONICAL%

For Group Policy events, the canonical name (CN) of the group policy that was modified.

%GPO_POLICYITEM%

For Group Policy events, the group policy item that was modified.

%GPO_POLICYNAME%

For Group Policy events, the name of the group policy that was modified.

%GPO_POLICYSECTION%

For Group Policy events, the section of the group policy that was modified.

%INITIATORMAIL%

For events generated by Active Roles or GPOAdmin, the email address of the user that initiated the change event.

For events generated by Active Roles or GPOAdmin, the SID of the user that initiated the change event.

%INITIATORUSERNAME%

For events generated by Active Roles or GPOADmin, the name of the user that initiated the change event.

The IP address of the Change Auditor agent that generated the alert.

%LDAP_ATTRIBUTES%

For AD Query events, the attributes that were queried.

For AD Query events, how long the AD query took to run.

For AD Query events, the filter string used in the AD query.

%LDAP_OCCURRENCES%

For AD Query events, the number of times the AD query occurred during the specified interval.

For AD Query events, the number of results returned as a result of the query.

For AD Query events, the scope of coverage: This object only or This object and all children.

For AD Query events, the date and time when the AD query was first initiated.

For AD Query events, the type of query: LDAP or GC.

%LOGON_DURATION%

For Logon Session events, how long the user session lasted or how long the user was actually logged onto the computer (depends on the event).

For Logon Session events, the date and time when the user logged out of the computer.

%LOGON_SESSIONEND%

For Logon Session events, the date and time when the current user session ended.

%LOGON_SESSIONSTART%

For Logon Session events, the date and time when the current user session began.

For Logon Session events, the date and time when the user initially logged onto the computer.

For Logon Activity events, the type of logon that occurred:

•

Domain Authentication

•

•

Remote Interactive

%OBJECTCANONICAL%

For Active Directory and ADAM (AD LDS) events, the canonical name of the object that was modified.

For Group Policy events, the canonical name of the group policy that was modified.

For AD Query events, the LDAP object canonical name of the object that was queried.

For Active Directory and Exchange events, the object class that was modified (e.g., groupPolicyContainer).

For ADAM (AD LDS) events, the object class that was modified (e.g., container, user, group).

For AD Query events, the object class that was queried.

For Active Directory and Exchange events, the name of the object that was modified.

For ADAM (AD LDS) events, the distinguished name of the object that was modified.

For Group Policy events, the name of the group policy that was modified.

For AD Query events, the name of the object that was queried.

%ORGANIZATIONALUNIT%

For Active Directory and ADAM (AD LDS) events, the OU associated with the object that was modified.

For Group Policy events, the name of the OU that is linked to the group policy that was modified.

For AD Query events, the name of the OU associated with the LDAP query.

Indicates the operating system version of the machine where the modification occurred.

For Registry events, the name of the registry key that was modified.

%REGISTRYVALUE%

For Registry events, the registry value that was modified.

Indicates the result of the operation mentioned in the event:

•

•

•

•

%SAM_PRINCIPALNAME%

The logon name of the local account that initiated the change event.

%SAM_PRINCIPALTYPE%

The type of local account that initiated the change event.

The distinguished name (DN) of the agented server that captured the event.

The fully qualified domain name (FQDN) of the agented server that captured the event.

The name of the agented server where the change occurred.

The name of the organizational unit where the agented server resides.

%SERVICE_DISPLAYNAME%

For Service events, the display name of the service that was modified.

For Service events, the name of the service that was modified.

The severity assigned to the change event: High, Medium or Low.

%SHAREPOINT_FARMNAME%

For SharePoint events, the name of the SharePoint farm where the modification occurred.

%SHAREPOINT_ITEMNAME%

For SharePoint events, the name of the SharePoint item (e.g. document, folder, list item) that was modified.

%SHAREPOINT_ITEMURL%

For SharePoint events, the URL of the SharePoint item that was modified.

%SHAREPOINT_LISTNAME%

For SharePoint events, the name of the SharePoint list that was modified.

%SHAREPOINT_LISTPATH%

For SharePoint events, the full path of the SharePoint list where the modification occurred.

%SHAREPOINT_WEBNAME%

For SharePoint events, the name of the web site where the modification occurred.

%SHAREPOINT_WEBURL%

For SharePoint events, the URL of the web site where the modification occurred.

For Active Directory and AD Query events, indicates whether the LDAP operation or LDAP query is signed using Kerberos-based encryption.

The distinguished name (DN) of the site where the agented server resides.

The name of the site where the agented server resides.

Indicates whether this is a smart alert email.

%SMART_ALERT_GROUPING%

Indicates whether this is a smart alert email and on a single object.

%SMART_ALERT_OCCURRENCE%

For smart alerts, the occurrence value specified in ‘Send alert when <nn> Events occur within <nn> <interval>’.

%SMART_ALERT_PERIOD%

For smart alerts, the period of time specified in ‘Send alert when <nn> Events occur within <nn> <interval>’.

%SMART_ALERT_PERIOD_UNIT%

For smart alerts, the time interval (minutes, hours or days) specified in ‘Send alert when <nn> Events occur within <nn> <interval>’.

%SQL_APPLICATIONNAME%

For SQL events, the name of the client application that initiated the change event.

%SQL_CLIENTPROCESSID%

For SQL events, the identification number associated with the client process that initiated the change event.

%SQL_DATABASEID%

For SQL events, the identification number associated with the SQL database used by the process that initiated the change event.

%SQL_DATABASENAME%

For SQL events, the name of the SQL database used by the process that initiated the change event.

%SQL_EVENTCLASS%

For SQL events, the SQL Server operation (event class) that was performed.

%SQL_EVENTSUBCLASS%

For SQL events, the type of event subclass that was performed.

For SQL events, the name of the client workstation that initiated the session.

%SQL_INSTANCENAME%

For SQL events, the name of the SQL instance where the change event occurred.

For SQL events, indicates whether a system session initiated the change.

%SQL_LINKEDSERVERNAME%

For SQL events, the name of the linked server.

For SQL events, the object identifier associated with the SQL object that was changed.

%SQL_OBJECTID2%

For SQL events, the object identifier of related objects or entities, if available.

%SQL_OBJECTNAME%

For SQL events, the name of the SQL Server object that was changed.

%SQL_OBJECTTYPE%

For SQL events, the type of SQL Server object that was changed.

For SQL lock events, the type of object that owns a lock.

%SQL_OWNERNAME%

For SQL events, the database user name of the object owner.

%SQL_PARENTNAME%

For SQL events, the name of the schema in which the object that changed resides.

%SQL_PROVIDERNAME%

For SQL events, the name of the OLEDB provider.

%SQL_ROWCOUNTS%

For SQL events, the number of rows returned by the SQL query.

%SQL_SESSIONLOGINNAME%

For SQL events, the SQL Server login name used by the client to create the session.

For SQL events, the SQL Server Process ID associated with the process that initiated the change.

For SQL events, indicates whether the event was successful.

For SQL events, the character string used in the SQL query.

For Active Directory or AD Query events, indicates whether the LDAP operation or LDAP query is secured using SSL or TLS technology.

%SUBSYSTEMNAME%

The subsystem, or area of auditing, where the change event occurred (e.g., Active Directory, Service, Group Policy).

The UTC date and time when the batch of events were sent from the agent to coordinator.

The UTC date and time when the agent captured the event.

The UTC time (no date) when the event the agent captured the event.

The UTC date and time when the event was received by Change Auditor.

The name of the time zone used for the alert’s date/time stamps in the email.

%TIMEZONETIMEDETECTED%

The date and time when the Change Auditor agent captured the event, based on the selected time zone.

%TIMEZONETIMERECEIVED%

The date and time when the event was received by Change Auditor, based on the selected time zone.

The machine name or IP address of the machine where the change originated.

%USERADDRESSIPV4%

The IPv4 IP address of the machine where the change originated.

%USERADDRESSIPV6%

The IPv6 IP address of the machine where the change originated.

The display name of the user who initiated the change.

The email address of the user that initiated the change.

The NT4 logon name (domain\name) of the user who initiated the change.

The security identifier (SID) assigned to the user who initiated the change.

The new value that is now assigned to the object.

The old value that was assigned to the object.

%VMWARE_COMPUTERESOURCE%

For VMware events associated with compute resources, the name of the compute resource where the change occurred.

%VMWARE_DATACENTER%

For VMware events, the name of the datacenter object where the modification occurred.

For VMware events associated with datastore objects, the name of the datastore where the change occurred.

For VMware events associated with a Distributed Virtual Switch (DVS), the name of the DVS where the change occurred.

For VMware events, the name or IP address of the host being audited (as specified in the VMware Auditing template).

For VMware events, the name of the network object where the change occurred.

For VMware events, the name of the virtual machine where the modification occurred.

%VMWARE_VMWAREHOSTNAME%

For VMware events, the name of the host where the modification occurred.

The event details defined in the Event Details tab are placed in the Main Body pane using the following tag:

%EVENT_DETAILS%

This tag should NOT be removed from the Main Body tab if you want to include the event details in the alert emails.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center