Chat now with support
Chat with Support

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Troubleshooting steps

Previous Next

Troubleshooting steps

* 
NOTE: If the Search Properties tabs are displayed across the bottom of the Search Results page, double-click an event to display the event details for the selected event.

If the EMC events do not appear in the client as expected, check the following:
Verify that the CEPA (EMC CAVA agent service) is running on the Windows Server where the EMC events are being collected.
Verify that the Shared EMC Connector service (QCeeService) is running.
Use the following command to verify that the CEPP service on the EMC Data Mover is running and is in the state of ONLINE:

server_cepp <DataMoverName> -p -i

If the CEPP service is OFFLINE, restart the EMC CAVA agent service on the Windows Server. If that does not work, restart the EMC CEPP service on the Data Mover using the following commands:

server_cepp <DataMoverName> -service -stop
server_cepp <DataMoverName> -service -start
Verify that the EMC file server (CIFS) is valid on the first page of the EMC Auditing wizard. The EMC File Server (CIFS) field should contain the IP address or Netbios name of the CIFS to be audited.
Verify that you have selected those type of events in the EMC Auditing template. (Events tab in wizard.)
Verify that you have included the correct subfolders and paths in the EMC Auditing template. (Inclusions tab in wizard.)
* 
NOTE: Entering * will include all subfolders and paths.
Verify that you have not excluded the specified subfolders or paths in the EMC Auditing template. (Exclusions tab in wizard.)
If you set the credentials on the second page of the wizard, verify that you have selected the correct Data Mover for the selected CIFS.
Refresh the specified agent configurations on the Agent Configuration page to ensure the latest EMC Auditing template is being used.

EMC Auditing

Previous Next

EMC Auditing
Introduction
EMC Auditing page
EMC auditing templates
EMC Auditing wizard
File System events settings
EMC event logging

Introduction

Previous Next

Introduction

You must define a separate EMC Auditing template for each EMC file server (CIFS) to audit. The EMC Auditing page on the Administration Tasks tab displays details about each EMC Auditing template created and allows you to add new auditing templates.

 

EMC Auditing page

Previous Next

EMC Auditing page

The EMC Auditing page displays when you select EMC from the Auditing task list in the navigation pane of the Administration Tasks tab. From this page you can open the EMC Auditing wizard to specify the EMC file server (CIFS) to be audited, the auditing scope and the agents to receive the EMC events. You can also edit existing templates, disable/enable templates, and remove templates that are no longer being used.The EMC Auditing page contains an expandable view of all the EMC Auditing templates that have been previously defined. To add a new template to this list, use the Add tool bar button. Once added, the following information is provided for each template:

* 
NOTE: Authorization to use the administration tasks on the Administrations Tasks tab is defined using the Application User Interface page under the Configuration task list. If you are denied access to the tasks on this page, refer to the Change Auditor User Guide for more information on how to gain access.
File Server (CIFS)

Displays the name of the EMC file server (CIFS) specified in the wizard.

Status

Indicates whether the auditing template is enabled or disabled.

Paths

This field is used for filtering data.

Audit cepp.conf

Indicates whether you have selected to audit the cepp.conf file for changes made by other third-party applications.

* 
NOTE: This field does not apply to Isilon file server auditing.
Auditing Agent

Displays the name of the agent assigned to audit the cepp.conf file.

* 
NOTE: This field will be blank if the Audit cepp.conf field is set to No.
Polling Interval Minutes

Displays the polling interval specified when auditing of the cepp.conf file is enabled.

* 
NOTE: This field will be blank if the Audit cepp.conf field is set to No.
* 
NOTE: This field does not apply to Isilon file server auditing.
 

Click the expansion box to the left of the EMC file server (CIFS) name to expand this view and display the following details:

Path

Displays the name of the audit paths included in the EMC Auditing template.

Status

Indicates whether auditing for the selected audit path is enabled or disabled.

Include Mask

Displays the names of the subfolders or files to be audited (or a file mask) as specified on the Inclusions tab of the wizard.

Scope

Indicates the scope of coverage specified for each audit path in the selected template:
This object only
This object and child objects only
This object and all child objects
Exclude

Displays the names and paths of subfolders and files to be excluded from auditing as specified on the Exclusions tab of the wizard.

Operations

Displays the events selected for auditing on the Events tab of the wizard. Hover your mouse over this cell to view all of the events included in the template.

Agent

Lists the agents assigned to receive the EMC events from the selected EMC file server (CIFS).

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating