Chat now with support
Chat with Support

Change Auditor 7.0.4 - Web Client User Guide

Install Change Auditor Web Client Web Client Overview Overview Page Shared Overviews Administration Page Searches Page Search Results Page Administration Tasks Page Configuration Tasks (Administration Tasks Page) Auditing Tasks (Administration Tasks Page) Protection Tasks (Administration Tasks Page) Change Auditor Client Comparison

Server

The tasks under this heading are used to create auditing templates that, once assigned to agent configurations, enable custom server-level auditing. After creating a template, see Agent Configuration page for information on enabling these templates.

See the following administration task descriptions for more information:

File System auditing

To capture Windows File Server events, you must first complete the following steps to define the files/folders to be audited and the events to be captured:

The File System Auditing page is displayed when File System is selected from the Auditing task list in the navigation pane of the Administration Tasks page. From this page you can launch the File System Auditing wizard to specify the file, folder or all drives in a system that are to be audited. You can also edit existing templates, copy templates, disable/enable templates, or remove templates that are no longer being used.

NOTE: For more information, including a full description of the page, refer to the Quest Change Auditor for Windows File Server User Guide.
2
Click Auditing.
3
Select File System (under the Server heading in the Auditing task list) to open the File System Auditing page.
4
Use Add to launch the File System Auditing wizard which steps you through the process of creating a File System Auditing template.

Welcome

Name your template.

2
Click Next.

File Paths

Provide the name and path of the files to be audited.

Use the Events tab to select vital file events.

This must be a local path. Auditing and/or protecting network shares is not supported. To audit or protect those files/folders, a Change Auditor agent must be deployed on the share's hosting server.

2
Enter the file name and path (i.e., Drive:\Folder\FileName.ext) to be audited.
3
Click Add to add it to the selection list.
4
On the Events tab, select individual file events to be audited, or select the File Events check box to select all listed file events.
5
Click Next.

Excluded Processes

(Optional) Select the processes to exclude from auditing.

2
Click Add to add it to the exclusion list.
4
Click Finish to save the template and close the wizard.
2
Click Auditing.
3
Select File System (under the Server heading in the Auditing task list) to open the File System Auditing page.
4
Use Add to launch the File System Auditing wizard which steps you through the process of creating a File System Auditing template.

Welcome

Name your template.

2
Click Next.

File Paths

Provide the name and path of the folders to be audited or select to audit all drives.

Use the available tabs to select specific events and file masks to audit. You can also exclude certain subfolders and files from auditing.

1
For the audit path, select Folder or All Drives.
If Folder is selected, enter the file name and path to be audited. You can also select a system variable using the drop-down menu.
If All Drives is selected, the Audit Path text box will contain an asterisk (*) which cannot be changed.
Click Add to add it to the selection list.
2
Click in the Scope cell to change the scope of coverage.
3
On the Events tab, select individual file and folder events to be audited, or select the File Events and/or Folder Events check boxes to select all listed events.
Click Add to add it to the inclusion list.
Use Add | Folder to exclude activity against any matching files/subfolders or Add | File to exclude activity against matching files.

Discarded events

(Optional) Multiple folder open events are generated by tooltips (folder content information that is displayed when you hover your mouse over a folder) because Windows Explorer navigates the folder tree for all the sub-folders when you hover over the parent folder to see the tooltip.

(Optional) Multiple folder open events are generated by file scans because Windows Explorer opens and reads the header of all files contained in an opened folder for information to display in the window.

1
To ignore the folder opened events generated by this action, select the Discard Windows Explorer tooltip events from browsing option.
2
To ignore the folder open events generated by this action, select the Discard file open events from folder browsing option.
3
Click Next.
NOTE: Clicking Finish saves the template and closes the wizard.

Excluded Processes

(Optional) Select the processes to exclude from auditing.

1
Enter a process to exclude and click Add to add it to the exclusion list.
2
Click Finish to save the template and close the wizard.

Registry auditing

To capture registry events, you must first complete the following steps to define the registry keys to be audited and the events to be captured:

The Registry Auditing page is displayed when Registry is selected from the Auditing task list in the navigation pane of the Administration Tasks page, and contains an expandable view of all the Registry Auditing templates that have been previously defined. From this page you can launch the Registry Auditing wizard to specify a registry key to be audited. You can also edit existing templates, copy templates, disable/enable templates, or remove templates that are no longer being used.

2
Click Auditing.
3
Select Registry (under the Server heading in the Auditing task list) to open the Registry Auditing page.
4
Click Add to open the Registry Auditing wizard which steps you through the process of creating a Registry Auditing template.

Welcome

Name your template.

2
Click Next.

Registry Key Selection

Select the registry keys to be audited.

Use the Event tab to select any associated events that are to be audited. Use the Exclusions tab to specify sub keys to be excluded.

2
To change the default scope, click the entry in the Scope cell and select a different scope.
3
On the Events tab, select the key and value events that are to be included in the audit. Selecting the Key Events or Value Events check box selects all of the events underneath the heading.
4
If you selected This object and child objects only as the scope, on the Value tab you can specify a specific value for the selected key.
Click Add to add it to the Exclusion list at the bottom of the page.
6
Click Finish to save the template and close the wizard.

Services auditing

To capture service events, you must first complete the following steps to define the services to be audited:

The Services Auditing page is displayed when Services is selected from the Auditing task list in the navigation pane of the Administration Tasks page, and contains an expandable view of all the Service Auditing templates that have been previously defined. From this page you can launch the Service Auditing wizard to define the system services to be included in the auditing template. You can also edit existing templates, copy templates, disable/enable templates, or remove templates that are no longer being used.

2
Click Auditing.
3
Select Services (under the Server heading in the Auditing task list) to open the Services Auditing page.
4
Click Add to open the Service Auditing wizard which allows you to define the system services to be included in the template.

Welcome

Name your template.

2
Click Next.

Services Selection

Select the system services to be included in or excluded from auditing.

By default, all services will be audited.

2
If you selected either Audit ALL services except the following or Audit ONLY the following services, enter the names of the services to be included/excluded and click Add to add them to the selection list.
3
Click Finish to save the template and close the wizard.
Related Documents