立即与支持人员聊天
与支持团队交流

Change Auditor 7.2 - User Guide

Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Disable Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags

Registry Auditing templates

To enable custom registry auditing you must create a Registry Auditing template which specifies the registry keys and events to audit. You can then assign this template to an agent configuration, which then needs to be assigned to the appropriate agents.

2
Select Registry (under the Server heading in the Auditing task list) to open the Registry Auditing page.
3
Click Add to start the Registry Auditing wizard which will step you through the process of creating a Registry Auditing template.
Selecting the Browse | Local Registry option displays the Select registry key dialog allowing you to select a registry key from the local server.
Selecting the Browse | Remote Registry option displays the Select Active Directory Object dialog allowing you to select the server whose registry you would like to browse. Use the Browse or Search pages to locate and select the server. On the Select registry key dialog select the registry key to be audited.
7
In the Scope cell, use the drop-down menu to select the scope of coverage:
NOTE: Selecting the Key Events or Value Events check box at the top of the events list on the Events tab will select all of the events listed under the heading. Similarly, clearing the check boxes will clear all of the selected events.
9
If you selected the This object and child objects only option in the Scope cell, you can also specify a specific value for the selected key. To audit a specific value, open the Value tab and enter the value in the text box provided.
Selecting Browse | Local Registry displays the Select registry key dialog allowing you to select a sub key from the local server.
Selecting Browse | Remote Registry displays the Select Active Directory Object dialog allowing you to select the server whose registry you would like to browse. Use the browse or search pages to locate and select the server. From the Select registry key dialog, select the sub key to be excluded.
Once you have specified a sub key for exclusion, click Add to add it to the Exclusions list at the bottom of the page.
Clicking Finish creates the template, closes the wizard and returns to the Registry Auditing page, where the newly created template will now be listed.
12
To create the template and assign it to an agent configuration, expand Finish and click Finish and Assign to Agent Configuration.
NOTE: On the Auditing page, you can also use the Assign tool bar button to assign the selected template to an agent configuration. Clicking this button will display the Configuration Setup dialog allowing you to select the agent configuration to which this template is to be assigned.
13
3
Once you have made your modifications, click Finish or expand Finish and click Finish and Assign to Agent Configuration.

Disabling allows you to temporarily stop auditing the specified registry key without having to remove the auditing template or individual registry key from an active template.

1
On the Auditing page, place your cursor in the Status cell for the template to be disabled, click the arrow control and select Disabled.
The entry in the Status column for the template will change to ‘Disabled’.
2
To re-enable the auditing template, use the Enable option in either the Status cell or right-click menu.
1
On the Registry Auditing page, place your cursor in the Status cell for the registry key to be disabled, click the arrow control and select Disabled from the drop-down menu
The entry in the Status column for the registry key will change to ‘Disabled’.
2
To re-enable the auditing of a registry key, use the Enable option in either the Status cell or right-click menu.

Registry Auditing wizard

The Registry Auditing wizard displays when you click Add on the Registry Auditing page. From this wizard, select the registry key to be audited as well as the events to be audited.

The following table provides a description of the fields and controls in the Registry Auditing wizard.

Use the first page of the wizard to enter a name for the template and select the registry keys to audit.

Template Name

Enter a descriptive name for the Registry Auditing template being created.

Registry key in the HKEY_LOCAL_MACHINE hive

Enter or use one of the browse options to select the registry key in the HKEY_LOCAL_MACHINE hive to be audited.

Expand the browse button to browse for and select a registry key:

Local Registry - select this option to browse and select a registry key from the local computer
Remote Registry - select this option to browse and select a registry key from a remote server. Selecting this option displays the Select Active Directory Object dialog allowing you to select the server whose registry you would like to browse. Use the browse or search pages to locate and select the server.

Registry Keys list

The list box located across the middle of the page displays the registry keys to be included in the Registry Auditing template. Use the Add and Remove buttons to control the contents of this list:

Add - Use this to add the specified registry key to the template.
Remove - Select a registry key from the list and click the Remove button to remove the selected registry key from the template.

Use the drop-down box in the Scope cell of the list box to specify the scope of coverage:

This object only - select this option to audit only this key, not its values or sub keys.
This object and child objects only - select this option to audit this key, its values and direct sub keys only. This is not recursive.
This object and all child objects - select this option to audit this key, all sub keys and all values. (Default)

Select a key in this list to enable the corresponding Events, Value and Exclusions tabs at the bottom of this page.

Events tab

Use the Events tab to select the type of events (e.g., registry key added, registry key deleted) that are to be audited for the selected registry key. The contents of this tab is based on the entry selected above in the Registry Keys list.

Key Events

Select the Key events to audit. Select the Key Events check box to select all of the Key events listed or select individual events from the list.

Value Events

Select the Value events to audit. Select the Value Events check box to select all of the Value events listed or select individual events from the list.

Value tab

If you selected the This object and child objects only option in the Scope cell, this additional tab will be displayed allowing you to enter a specific value to be audited for the selected key.

Audit a specific value

Enter the value to be audited for the selected key.

Exclusions tab (Optional)

Use the Exclusions tab to exclude sub keys in the selected registry key from being audited.

Add the sub keys to exclude from auditing

To exclude a sub key in the selected registry key from being audited, expand the browse button and select one of the browse options to browse either the local or remote server for the sub key.

You can also enter the name of the sub key to be excluded from auditing. Use a file mask to select a group of sub keys. A file mask can contain any combination of the following:

Once you have specified a sub key for exclusion, click the Add button to add it to the Excluded Keys list at the bottom of the page.

Expand the browse button and select one of the following options:

Local Registry - select this option to select a sub key from the local server.
Remote Registry - select this option to select a sub key from a remote registry. Selecting this option displays the Select Active Directory Object dialog allowing you to select the server whose registry you would like to browse. Use the browse or search pages to locate and select the server.

Excluded Keys list

The list across the bottom of this page contains the sub keys that are to be excluded from auditing. Use the Add and Remove buttons to add and remove entries.

Add - Use the Add button to add the specified sub key to the Excluded Keys list.
Remove - Select an entry in the Excluded Keys list and click the Remove button to remove it.

Service Auditing

Introduction

Windows services are the backbone of applications and require frequent administrator actions. Changes can be simple, such as changing a startup type or service account password. But, even the simple changes can cause major issues. In fact, in this case it would render an application useless to its users. Change Auditor provides service auditing capabilities, including the ability to track who starts and stops a service.

To capture service events, you must first define the services to audit:

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级