Chat now with support
Chat with Support

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Change Auditor Agent Status dialog

Previous Next

Change Auditor Agent Status dialog

The Change Auditor Agent Status dialog helps you determine if the agent is running and what version is installed on the domain controller. The other status information in the dialog is broken down into the following sections:
Agent Information - displays the status, version number, the coordinator installation name to which the agent is connected, and the agent’s database size
Events - displays audit event activity
Coordinator Connection - displays information regarding the connection between the agent and the coordinators

This dialog contains the following status information:

 

Table 9. Change Auditor Agent Status dialog: Status information

Field

Description

Agent Information

Agent is

The current agent status:

Running - the agent service is running
Initializing - the agent service has started but is still initializing
Not Running - the agent service is not currently running
Failed - the agent service failed to initialize

Version

The current version of the agent installed on the server.

Installation Name

The installation name assigned to the coordinator to which the agent is connected.

DB Size (KB)

The size of the agent database, in kilobytes. This is dependent on the number of monitored Active Directory, registry and file system objects, and the number of events queued for transmission to the coordinator. If a coordinator is not available, this database may become large. When the events are successfully sent to a coordinator, the database space is re-used for subsequent events.

License

The licenses that are applied. Use the arrow controls to scroll through the licenses.

Events

Contains indicators of internal Change Auditor activity and may be used by Quest Support should they need to diagnose agent problems.

AD Events

If licensed (Change Auditor for Active Directory), this is the number of Active Directory related events processed by the agent. This field will be blank for agents running on member servers.

ADAM Events

If licensed (Change Auditor for Active Directory), this is the number of ADAM events processed by the agent.

Exchange Events

If licensed (Change Auditor for Exchange) and configured, this is the number of Exchange Mailbox events processed by the agent.

Local Security Events

If licensed (Change Auditor for Active Directory), this is the number of local user and group (SAM) events processed by the agent.

File System Events

If licensed (Change Auditor for Windows File Servers) and configured, this is the number of File System events processed by the agent.

Registry Events

If configured, this is the number of Registry events processed by the agent.

SQL Events

If licensed (Change Auditor for SQL Server) and configured, this is the number of SQL Server events processed by the agent.

NetApp Events

If licensed (Change Auditor for NetApp) and configured, this is the number of NetApp filer events processed by the agent.

EMC Events

If licensed (Change Auditor for EMC) and configured, this is the number of EMC events processed by the agent.

SharePoint Events

If licensed (Change Auditor for SharePoint) and configured, this is the number of SharePoint events processed by the agent.

Microsoft Entra Events

If licensed (Change Auditor for Active Directory) and configured, this is the number of Microsoft Entra events processed by the agent.

ADFS Events

If licensed (Change Auditor for Logon Activity) and configured, this is the number of ADFS events processed by the agent.

Logon Events

If licensed (Change Auditor for Logon Activity User), this is the number of user logon activity events processed by the agent.

Microsoft 365 Events

If configured (Change Auditor for Exchange and Change Auditor for SharePoint), this is the number of Exchange Online, SharePoint Online, and OneDrive for Business events processed by the agent.

Other Events

This is the number of events processed by the agent that do not ‘fit’ into the other event categories (such as Authentication Services events, Service events, etc.).

Excluded Events

If configured, this is the number of events excluded by the agent because they originated from a user or computer that was defined as an excluded account.

Coordinator Connection

Connected

The computer name (and SCP port) of the coordinators to which this agent is currently connected.

NOTE: For more details on agent connection behavior, see Installation Notes and Best Practices in the Quest Change Auditor Installation Guide.

All

The list of all available coordinators in the installation.

Last Conf Update

The time when the agent last downloaded the agent configuration information/settings.

Events Last Sent

The local time when the last event was sent. If no events have been detected by Change Auditor recently, this time may be fairly old.

Events Sent

The number of events that have been sent to a coordinator since the agent was last started.

Acknowledged

The number of events that a coordinator has acknowledged.

Normally, this value will be the same as the Events Sent. However, it may be smaller if the coordinator is not running or if a large number of events are being processed by the coordinator which may be slowing it down. Events may also be lost due to communication problems, in which case the agent will try to re-send the events.

Events Waiting

The number of events in the agent database that are waiting to be forwarded to a coordinator.

This value should be at or near zero when the server is idle, but can grow if it is busy. If the value never returns to zero, it may indicate that the agent is having difficulty communicating with the coordinator service. If this is the case, contact Technical Support for assistance.

View agent status/statistics

Previous Next

View agent status/statistics

To view agent status/statistics (Overview page):
1
Open the Overview page and if the Top Agent Activity pane is not displayed, click the arrow on the heading of one of the overview panes and select Top Agent Activity.

This pane displays the top most active agents in your environment, based on the data range specified.

2
By default, the agent activity on all servers for the past month, excluding uninstalled agents, is displayed. Use the controls at the top of this pane to specify the type of agented objects to be included as well as the date range.
3
The values in the Audited Events column are links, which when selected will open up a new Search Results tab to display the related details for these events.
4
If the Agent Status pane is not displayed, click the arrow on the heading of one of the overview panes and select one of the following commands:
Agent Status | Enterprise View
Agent Status | <domain>
5
By default, this pane will only include active and inactive (installed) agents in the pie chart. You can however, select the Show Uninstalled Agents check box to include agents that are set as ‘uninstalled’ in the pie chart.
6
Double-clicking the pie chart will display the Agent Statistics page.
To view agent status/statistics (Agent Statistics page):
1
Open the Agent Statistics page and click Refresh to retrieve updated information.
2
Click Show Uninstalled Agents to include uninstalled agents. Click Hide Uninstalled Agents to exclude uninstalled agents from the display.

The values in the different event columns are links, which when selected will open up a new Search Results tab to display the related details for these events.

To view agent status/statistics on the current agent only (agent system tray icon):
* 
NOTE: The agent system tray icon can be loaded using one of the following methods:
Click Advanced Options on the Deployment page to display the Advanced Deployment Options dialog. From this dialog, select the appropriate Launch ServiceStatusTray on startup option (Yes or Do not change).
Navigate to %ProgramFiles%\Quest\ChangeAuditor\Agent and double-click the ServiceStatusTray.exe file.
1
Right-click the system tray icon and select Agent Status.

This opens the Change Auditor Agent Status dialog, which displays agent information (including if the agent is running), event activity for the agent and coordinator connection information.

2
Click OK.

Manage Change Auditor agents

Previous Next

Manage Change Auditor agents

To stop an agent (Agent Statistics page):
* 
NOTE: You can use the Action | Agent Notifications menu command to hide (or display) the desktop notifications that are displayed when these processes are performed.
1
Open the Agent Statistics page.
2
Select the agent to stop and click Stop Agent.
* 
NOTE: The Stop Agent command is only available when an agent is ‘Active’.
3
An information message is displayed, click OK to stop the agent.
4
In addition, a desktop notification is displayed in the lower right-hand corner of your screen explaining that the selected agent is being disconnected from a specific coordinator.

Once disconnected, the agent’s status will be changed to ‘Inactive’ on the Agent Statistics page.

5
If you so choose, click Set Agent Uninstalled to flag the selected agent as ‘Uninstalled’.
6
Click Show Uninstalled Agents to include uninstalled agents in the Agent Statistics list. Click Hide Uninstalled Agents to exclude uninstalled agents from the display.
To stop an agent (agent system tray icon):
* 
NOTE: The agent system tray icon is only available for server agents.
1
From the server where the agent is installed, right-click the agent system tray icon and select Disable Agent.
2
On the confirmation dialog, click Yes to stop the agent service.
3
A message displays explaining that the agent is being stopped.
4
In addition, a desktop notification displays in the lower right-hand corner of your screen explaining that the selected agent is being disconnected from a specific coordinator.

Once disconnected, the agent system tray icon contains a red light indicating that the agent is inactive.

To start an agent (Agent Statistics page):
1
Open the Agent Statistics page.
2
Select a previously stopped agent and click Start Agent.
* 
NOTE: The Start Agent command is only available when an agent is ‘Inactive’.
3
An information message displays explaining that it may take a few minutes to start the agent. Click OK to start the agent.
4
In addition, a desktop notification displays in the lower right-hand corner of your screen explaining that the selected agent is being connected to a specific coordinator.

Once connected, the agent’s status returns to ‘Active’ on the Agent Statistics page.

To start an agent (agent system tray icon):
* 
NOTE: The agent system tray icon is only available for server agents.
1
From the server where the agent is installed, right-click the agent system tray icon and select Enable Agent.
2
A message displays explaining that the agent is being started.
3
In addition, a desktop notification displays in the lower right-hand corner of your screen explaining that the selected agent is being connected to a specific coordinator.

Once connected, the agent system tray icon no longer contains a red or yellow button indicating that the agent is now active.

Agent Log page

Previous Next

Agent Log page

A new log page is created whenever the View Agent Log command is selected and displays the event details recorded in the trace log for the selected agent.

* 
IMPORTANT: For workstation log management (such as Get Logs or View Agent Log), the following must be enabled on the workstation:
Windows Management Instrumentation (WMI) must be enabled in the firewall rule set (usually domain) on the workstation
Network Discovery and File Sharing must be enabled
Remote Registry Service must be set to ‘Start Automatically’. By default, this service is stopped and set to ‘Manual’ for Windows 10.

The data grid and event details pane on this page contains the following information for each log entry. The default column in the table below identifies the fields that are displayed in the data grid by default. To display different fields, click the Field Chooser button located to the far left of the column headings.

 

Table 10. Agent Log page: Field descriptions

Column

Default

Description

File

No

Specifies the name of the source file that logged the message.

Function

No

Displays the name of the function that logged the message.

ID

No

Displays the event ID used to identify the event.

Level

Yes

Indicates the severity of the event message:

Info - ‘For your information’; does not require attention
Error - events that indicate a problem has occurred; requires attention
Warning - events that warn of potential problems; does not require immediate attention

Line

No

Specifies the line within the source file that logged the message.

Logger

No

Specifies the logger used to log events.

Message

Yes

Displays the event message that was posted to the log.

Thread

No

Specifies the thread within the source file that logged the message.

Timestamp

Yes

Displays the date and time when the entry was posted to the log.

NOTE: Based on the client’s current local date and time. The format used to display this date and time is determined by the local machine’s regional and language setting.

Use the tool bar buttons at the top of the log page to scroll through the log and search for log entries.

 

Table 11. Agent Log page: Tool bar buttons

Refresh

Use to refresh and reload the log entries from the source file.

NOTE: Not available when the log page is launched using the View Agent Log command.

Copy

Use to copy the selected content to the clip board. Use with the Select All button to copy and paste the contents of the entire log into another application.

Select All

Use to select the entire contents of the log. Use with the Copy button to copy and paste the contents of the log into another application.

Find:

Enter a specific string of characters or word to be located in the log and use the Find button to locate the text.

Show Matched Entries Only (Ctrl+M)

Use to display only the entries that match the word/string of characters entered in the search text.

Match Case

Use to locate entries that match the case as it was entered in the search text.

Previous

Use to move to the previous entry that contains the search text.

Next

Use to move to the next entry that contains the search text.

Print

Use one of the Print options to print or save the contents of the log.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating