Chat now with support
Chat with Support

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Change Auditor agent performance

Previous Next

Change Auditor agent performance

Performance is directly linked to the CPU speed and network latency of the server hosting the Change Auditor agent collecting the EMC events.

Hardware considerations
Load balancing

Hardware considerations

To improve agent performance, you can:
Upgrade the link between the EMC file server and the Change Auditor agent to decrease network latency.
Add extra CPUs to the current agent or select a more powerful agent host with more CPUs or CPU cores available.

See System overview for more information.

Load balancing

You can also improve performance by assigning an EMC Auditing template to more than one agent. When multiple agents are assigned to the same EMC Auditing template, events will be load balanced and events will be sent to each agent round-robin style.

* 
TIP: Quest recommends that you specify no more than two agents; however, you can specify more than two agents if you find the need. The downside to assigning multiple agents to the same EMC Auditing template is that the ‘where’ field for EMC events may contain any one of these agents. In addition, if EMC event logging is enabled in Change Auditor, events will be written on multiple agent servers.

Configuring audit scope

Previous Next

Configuring audit scope

Audit only volumes, extensions and operations that are vital for your environment.

* 
NOTE: Configuring the auditing scope to audit only critical files/folders is recommended because this filtering controls the traffic between the coordinator and agent. However, changes to the auditing scope as described below will have no impact on the traffic between EMC and the agents.

Use the EMC Auditing template to specify the auditing scope for EMC events. For example, using the EMC Auditing template you can:
Decrease the number of volumes being audited
Set the Audit Path to File, Folder or Volume and enter the file, folder or volume to be audited.
To specify a file, enter: <ShareName>\<FolderName>\<FileName.ext>
To specify a folder, enter: <ShareName>\<FolderName>
To specify a volume, enter: <VolumeName>
Decrease the number of file extensions being audited
Use the Inclusions tab to specify individual subfolders or files to be included for auditing.
Use the Exclusions tab to exclude individual subfolders or files from auditing.
* 
NOTE: On both the Inclusions and Exclusions tabs, you can specify a group of files or subfolders using wildcard characters. That is, use an asterisk (*) to substitute zero or more characters or use a question mark (?) to substitute a single character.

See File/Folder Inclusion and Exclusion Examples for more information and examples.
Decrease the number of operations being audited
Use the Events tab to select only vital file and/or folder events.

EMC Events

Previous Next

EMC Events

The following events can be selected for auditing from the Events tab on the EMC Auditing wizard. The events listed on the Events tab is based on the file/folder specified in the Audit Path and the coverage specified in the Scope cell.

File events
EMC File access rights changed (no from-value)
EMC File contents written
EMC File created
EMC File deleted
EMC File moved
EMC File opened (Only available when the Audit Path is File)
EMC File ownership changed (no from-value)
EMC File renamed
 
Folder events
EMC Folder access rights changed (no from-value)
EMC Folder created
EMC Folder deleted
EMC Folder moved
EMC Folder ownership changed (no from-value)
EMC Folder renamed
 

 

File/Folder Inclusion and Exclusion Examples

Previous Next

File/Folder Inclusion and Exclusion Examples

This section provides sample entries for the Inclusions and Exclusions tabs on the auditing wizard. It does not list every combination available, but provides a variety of examples to help you understand how to use the wildcard characters allowed on these two tabs.

The Inclusions and Exclusions tabs only appear when the Folder, Volume or All Volumes option is selected in the Audit Path field and the Scope includes child objects. Use these two tabs as described below:
Inclusions tab - enter a file mask to specify what is to be audited.
Exclusions tab - optionally enter a file mask (or path) to specify subfolders and files in the selected audit path that are to be excluded from auditing.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating