Chat now with support
Chat with Support

Change Auditor 7.3 - User Guide

Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Disable Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags

Registry Auditing wizard

The Registry Auditing wizard displays when you click Add on the Registry Auditing page. From this wizard, select the registry key to be audited as well as the events to be audited.

The following table provides a description of the fields and controls in the Registry Auditing wizard.

Use the first page of the wizard to enter a name for the template and select the registry keys to audit.

Template Name

Enter a descriptive name for the Registry Auditing template being created.

Registry key in the HKEY_LOCAL_MACHINE hive

Enter or use one of the browse options to select the registry key in the HKEY_LOCAL_MACHINE hive to be audited.

Expand the browse button to browse for and select a registry key:

Local Registry - select this option to browse and select a registry key from the local computer
Remote Registry - select this option to browse and select a registry key from a remote server. Selecting this option displays the Select Active Directory Object dialog allowing you to select the server whose registry you would like to browse. Use the browse or search pages to locate and select the server.

Registry Keys list

The list box located across the middle of the page displays the registry keys to be included in the Registry Auditing template. Use the Add and Remove buttons to control the contents of this list:

Add - Use this to add the specified registry key to the template.
Remove - Select a registry key from the list and click the Remove button to remove the selected registry key from the template.

Use the drop-down box in the Scope cell of the list box to specify the scope of coverage:

This object only - select this option to audit only this key, not its values or sub keys.
This object and child objects only - select this option to audit this key, its values and direct sub keys only. This is not recursive.
This object and all child objects - select this option to audit this key, all sub keys and all values. (Default)

Select a key in this list to enable the corresponding Events, Value and Exclusions tabs at the bottom of this page.

Events tab

Use the Events tab to select the type of events (e.g., registry key added, registry key deleted) that are to be audited for the selected registry key. The contents of this tab is based on the entry selected above in the Registry Keys list.

Key Events

Select the Key events to audit. Select the Key Events check box to select all of the Key events listed or select individual events from the list.

Value Events

Select the Value events to audit. Select the Value Events check box to select all of the Value events listed or select individual events from the list.

Value tab

If you selected the This object and child objects only option in the Scope cell, this additional tab will be displayed allowing you to enter a specific value to be audited for the selected key.

Audit a specific value

Enter the value to be audited for the selected key.

Exclusions tab (Optional)

Use the Exclusions tab to exclude sub keys in the selected registry key from being audited.

Add the sub keys to exclude from auditing

To exclude a sub key in the selected registry key from being audited, expand the browse button and select one of the browse options to browse either the local or remote server for the sub key.

You can also enter the name of the sub key to be excluded from auditing. Use a file mask to select a group of sub keys. A file mask can contain any combination of the following:

Once you have specified a sub key for exclusion, click the Add button to add it to the Excluded Keys list at the bottom of the page.

Expand the browse button and select one of the following options:

Local Registry - select this option to select a sub key from the local server.
Remote Registry - select this option to select a sub key from a remote registry. Selecting this option displays the Select Active Directory Object dialog allowing you to select the server whose registry you would like to browse. Use the browse or search pages to locate and select the server.

Excluded Keys list

The list across the bottom of this page contains the sub keys that are to be excluded from auditing. Use the Add and Remove buttons to add and remove entries.

Add - Use the Add button to add the specified sub key to the Excluded Keys list.
Remove - Select an entry in the Excluded Keys list and click the Remove button to remove it.

Service Auditing

Introduction

Windows services are the backbone of applications and require frequent administrator actions. Changes can be simple, such as changing a startup type or service account password. But, even the simple changes can cause major issues. In fact, in this case it would render an application useless to its users. Change Auditor provides service auditing capabilities, including the ability to track who starts and stops a service.

To capture service events, you must first define the services to audit:

Services Auditing page

The Services Auditing page is displayed when Services is selected from the Auditing task list in the navigation pane of the Administration Tasks tab. From this page, you can start the Service Auditing wizard to define the system services to include in the auditing template. You can also edit existing templates, disable and enable templates and remove templates that are no longer being used.

The Service Auditing page contains an expandable view of all the Service Auditing templates that have been previously defined. To add a new template to this list, use the Add tool bar button. Once added, the following information is provided for each template:

Indicates whether the template is enabled or disabled. To enable and disable the template, place your cursor in this Status cell, click the arrow control, and select the appropriate option from the drop-down menu.

When individual services have been included in a Service Auditing template, click the expansion box to the left of the Template name to expand this view and display the following details:

Indicates whether auditing of the service is enabled or disabled. To enable and disable the auditing of the service, place your cursor in this Status cell, click the arrow control, and select the appropriate option from the drop-down menu.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating