Chat now with support
Chat with Support

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Introduction

Previous Next

Introduction

Windows services are the backbone of applications and require frequent administrator actions. Changes can be simple, such as changing a startup type or service account password. But, even the simple changes can cause major issues. In fact, in this case it would render an application useless to its users. Change Auditor provides service auditing capabilities, including the ability to track who starts and stops a service.

To capture service events, you must first define the services to audit:

1
Create a Service Auditing template to specify the system services to audit or exclude from auditing. For more information about creating a template, see Service Auditing templates.
2
Add this template to an agent configuration. For more information about how to add a template to an agent configuration, see Define agent configurations.
3
Assign the agent configuration to Change Auditor agents. For more information about how to assign an agent configuration to an agent, see Assign agent configurations to server agents.
* 
NOTE: Event logging is disabled by default; and when enabled, only configured activities are captured in the Windows event log.

Services Auditing page

Previous Next

Services Auditing page

The Services Auditing page is displayed when Services is selected from the Auditing task list in the navigation pane of the Administration Tasks tab. From this page, you can start the Service Auditing wizard to define the system services to include in the auditing template. You can also edit existing templates, disable and enable templates and remove templates that are no longer being used.

The Service Auditing page contains an expandable view of all the Service Auditing templates that have been previously defined. To add a new template to this list, use the Add tool bar button. Once added, the following information is provided for each template:

Template

Displays the name assigned to the template when it was created.

Status

Indicates whether the template is enabled or disabled. To enable and disable the template, place your cursor in this Status cell, click the arrow control, and select the appropriate option from the drop-down menu.

Exclude

Displays the option selected to determine which services are included or excluded from auditing:
Audit ALL
Audit all EXCEPT
Audit ONLY
Services

This field is used for filtering data.

When individual services have been included in a Service Auditing template, click the expansion box to the left of the Template name to expand this view and display the following details:

Service

Displays the name of the services included in the template.

Status

Indicates whether auditing of the service is enabled or disabled. To enable and disable the auditing of the service, place your cursor in this Status cell, click the arrow control, and select the appropriate option from the drop-down menu.

Display Name

Displays the display name for the listed services.

Service Auditing templates

Previous Next

Service Auditing templates

* 
NOTE: The cells directly under the main heading rows are used for filtering data. That is, as you enter characters into these cells, the client redisplays the templates that meet the search criteria (that is, comparison operator and characters entered). For more details about using the data filtering function provided throughout the client, see Filter data.

To enable service auditing, create a Service Auditing template to specify the system services to audit or to exclude from auditing. You can then assign this template to an agent configuration, which then needs to be assigned to the appropriate Change Auditor agents.

To create a Service Auditing template:
1
Open the Administration Tasks tab and click Auditing.
2
Select Services (under the Server heading in the Auditing task list) to open the Services Auditing page.
3
Click Add to start the Service Auditing wizard which allows you to define the system services to be included in the template.
4
Enter a name for the template.
5
Select one of the following options to define whether this template is to include or exclude system services for auditing:
Audit ALL services (default)
Audit ALL services except the following
Audit ONLY the following services
6
If you selected either the Audit ALL services except the following or the Audit ONLY the following services option, the data grid is activated allowing you to select the services to be included or excluded depending on the option selected.

From the services listed:
Select one or more services and click Add to move them to the list box.
Select Add All to move all the services,

OR
Select Enter a service not listed above to enter an unlisted service.
7
To view the services on a different server, click the browse button to the far right of You are viewing services on.

Clicking the browse button displays the Select a Directory Object dialog, where you can use either the Browse or Search pages to locate and select a different server. After selecting the server, click Select to close the dialog and display the services found on the selected server.

8
To create the template without assigning it to an agent configuration, click Finish.

Clicking Finish creates the template, close the wizard and return to the Services Auditing page, where the newly created template is listed.

9
To create the template and assign it to an agent configuration, expand Finish and click Finish and Assign to Agent Configuration.This displays the Configuration Setup dialog allowing you to select the agent configuration to which this template is to be assigned.
* 
NOTE: Back on the Auditing page, you can also use the Assign button to assign the selected template to an agent configuration. Clicking this button displays the Configuration Setup dialog allowing you to select the agent configuration to which this template is to be assigned.
10
On the Agent Configuration page, select the agents assigned to use the modified agent configuration and click Refresh Configuration to ensure that the agents are using the latest configuration.
To modify a template:
* 
NOTE: If you do not refresh the agent’s configuration, the agent automatically checks for a new agent configuration based on the polling interval setting (on the System Settings tab of the Configuration Setup dialog). The default is every 15 minutes.
1
On the Services Auditing page, select the template to modify and click Edit.

This displays the Service Auditing wizard, where you can modify the current list of services included in the template.

2
Click Finish or expand Finish and click Finish and Assign to Agent Configuration.
To disable a template:

Disabling allows you to temporarily stop auditing the specified service without having to remove the auditing template or individual service from an active template.

1
On the Auditing page, place your cursor in the Status cell for the required template, click the arrow control, and select Disabled.

The entry in the Status column for the template changes to ‘Disabled’.

2
To re-enable the auditing template, use the Enable option in either the Status cell or right-click menu.
To disable the auditing of a service in a template:
1
On the Services Auditing page, place your cursor in the Status cell for the required service, click the arrow control, and select Disabled

The entry in the Status column for the service changes to ‘Disabled’.

2
To re-enable the auditing of a service, use the Enable option in either the Status cell or right-click menu.
To delete a template:
1
On the Auditing page, select the required template and click Delete | Delete Template.
2
A dialog displays confirming that you want to delete the selected template. Click Yes.
To delete a service from an auditing template:
1
On the Services Auditing page, select the required service and click Delete | Delete Service.
2
A dialog displays confirming that you want to delete the service from the template. Click Yes.
* 
NOTE: If the service is the last one in the template, deleting this service will also delete the template.

Service Auditing wizard

Previous Next

Service Auditing wizard

The Service Auditing wizard is displayed when you click Add on the Services Auditing page. Using this wizard you can define the system services to be included in the template.

The following table provides a description of the fields and controls in the Service Auditing wizard.

 
* 
NOTE: A red flashing icon indicates that you have not yet entered the required information. Hovering your cursor over this icon displays a tool tip explaining what needs to be entered.
 

Table 1. Service Auditing wizard

Create or modify a Service Auditing Template page

Use this page to enter a name for the template and select the services that are to be audited.

Template Name

Enter a descriptive name for the Service Auditing template being created.

Inclusion/Exclusion options

Select one of the following options to define whether this template is to include or exclude system services for auditing:
Audit ALL services (default)
Audit ALL services except the following
Audit ONLY the following services

Service data grid

If you selected either the Audit ALL services except the following or the Audit ONLY the following services option, the data grid will be activated allowing you to select the services to be included or excluded depending on the option selected.

Select the services to be included in the template and click Add to add them to the list box at the bottom of the dialog.

You are viewing services on

Displays the name of the server from which the service data grid was populated.

Use the browse button to the right of this field to select a different server. The services found on the selected server will then be displayed.

Services list

The list box located across the bottom of the page displays the individual services to be included in the Services Auditing template. Use the buttons above this list box to add or remove services.
Add - Use the Add button to add the service(s) selected in the Services data grid to the list.
Add All - Use the Add All button to add all of the services listed in the Service data grid to the list.
Remove - Select a service entry in the list and click the Remove button to remove it from the template (move it back into the Services data grid).
NOTE: If you want to audit all services, this list will be empty.

 

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating