立即与支持人员聊天
与支持团队交流

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Managing connection profiles

Previous Next

Managing connection profiles

You can manage Change Auditor in the same forest or in a different forest from a single client allowing you to connect to the coordinator service or the database in many ways.

You can define connection profiles to connect to a coordinator in trusted or untrusted forests, or to connect to the database directly without connecting with the coordinator.

To define a connection profile
1
On the Connection screen, click Manage.
2
On the Manage Connection Profiles dialog, click Add to open the Connection wizard, which steps you through the process of defining a new profile.
* 
NOTE: Previously defined connection profiles are listed allowing you to review the details of each connection profile and edit any user-defined profiles.
3
On the Change Auditor Environment page, select the connection method to use. The available methods include:
Forest — connect to a coordinator in a trusted forest. Enter the DNS name of the forest.
Global Catalog — connect to a coordinator in an untrusted forest. Enter the name or IP address of the global catalog.
Manual — connect to a coordinator located in a different Active Directory forest than the client.
* 
NOTE: When you select to add or edit a manual connection, you will have the option to Use WCF Certificate Authentication and Disable Certificate Revocation List Check. When specifying the coordinator service properties, these check boxes must reflect the options for which the coordinator is configured. For details see, Certificate authentication for client coordinator communication.
Database Direct — connect directly to the Change Auditor database, without going through the coordinator (use this method to connect to an archived 6.x database). With this option, you are connected as an operator with read-only privileges; therefore, the Administration Tasks tab is not available.
* 
NOTE: To access an archive database, the account that you use to log into the client must not have the 'Deny logon over the network' right set.
4
Depending on the connection method selected, enter the requested information on the Connect to Change Auditor Coordinator page:
Forest - select the Service Connection Point (SCP) to use to connect to the coordinator.
Global Catalog - select the SCP to use. To override the coordinator service DNS, you can enter the IP address and port number assigned to the coordinator.
Manual - enter the fully-qualified domain name or IP address (IPv4 or IPv6) of the server where the coordinator resides and specify the port number assigned to the coordinator.
* 
NOTE: If the coordinator host cannot be resolved by DNS (for example, if the coordinator service is running under a service account instead of Local System) you must enter the IP address of the server where the coordinator resides.
Database Direct - use the Browse button to select the SQL instance and Change Auditor database.
* 
NOTE: If the current authenticated user does not have the proper SQL credentials to access the database, the Database Credentials Required dialog appears allowing you to enter new credentials.
NOTE: If the database is in a SQL AlwaysOn Availability Group, specify the availability group listener for the sql server name.
5
On the Connection Profile Summary page, review the connection profile details, name the profile and click Test to test the new connection profile. Click Finish to save the connection profile and close the Connection wizard.
6
On the Manage Connection Profile dialog, the new connection profile is added to the list. Click Save to save the new profile and close the Manage Connection Profile dialog.
7
To use this new connection profile, select it from the drop-down list on the Connection screen and click Connect.
8
If you do not have the proper credentials required for access, a dialog opens allowing you to enter new credentials.

Connection wizard

Previous Next

Connection wizard

The Connection wizard steps you through the process of defining a new connection profile. It is started when you select Add at the bottom of the Manage Connection Profiles dialog.

 

Table 1. Connection wizard

Change Auditor Environment page: Select one of the following connection methods. Depending on the option selected, additional information is requested on this or subsequent pages.

NOTE: If logon credentials are required for access, a dialog displays allowing you to enter the credentials.

Forest

Select to locate a coordinator in a trusted forest. By default the local forest is displayed; however, you can enter the DNS name of a different trusted forest that has access to a DNS server and can be resolved.

NOTE: You cannot enter an IP address in this field.

Global Catalog

Select to connect to a coordinator in an untrusted forest and enter the name or IP address of the global catalog to be used.

NOTE: Use SQL authentication when connecting to an untrusted forest.

Manual

Select to specify the fully qualified domain name or the IP address of the server where the coordinator resides and the port number assigned to the coordinator.

NOTE: When you select to add or edit a manual connection, you will have the option to Use WCF Certificate Authentication and Disable Certificate Revocation List Check. When specifying the coordinator service properties, these check boxes must reflect the options for which the coordinator is configured. For details see, Certificate authentication for client coordinator communication.

Database Direct

Select to connect directly to the Change Auditor database, without going through the coordinator. With this option, you are connected as an operator with read-only privileges; therefore, the Administration Tasks tab is not available.

NOTE: If the database is in a SQL AlwaysOn Availability Group, you need to connect to the availability group listener. Ensure there are no existing open connections to the database if an upgrade will be performed. The upgrade will not proceed if there are other existing open connections to the database.
NOTE: Use the Database Direct method to connect to an archived 6.x Change Auditor database.

An extra page is displayed requesting the following information:
Change Auditor Server (\SQL Instance) - Enter or browse to select the server (name or IP address) and the SQL instance for the Change Auditor database.
Change Auditor Database - Enter the name of the Change Auditor database.

Connect to Change Auditor Coordinator page: This page is displayed after you have selected the connection method. The information required is based on the connection method.

NOTE: When you select to add or edit a manual connection, you will also have the option to Use WCF Certificate Authentication and Disable Certificate Revocation List Check. When specifying the coordinator service properties, these check boxes must reflect the options for which the coordinator is configured. For details see, Because this is a significant change which may require the re-deployment of Change Auditor components, you are presented with a confirmation dialog. Select Yes to continue or No to return to the Client Authentication page..

Service Connection Point

When the Forest or Global Catalog options are selected on the previous page, this list displays the Service Connection Points (SCPs) available for use. Select the SCP to use from this list.

Coordinator DNS/IP Address

If you selected the Global Catalog option and want to override the coordinator service DNS, enter the IP address (IPv4 or IPv6) of the server where the coordinator resides.

If you selected the Manual option, enter the fully qualified domain name or IP address (IPv4 or IPv6) of the server where the coordinator resides.

NOTE: If the coordinator host cannot be resolved by DNS (e.g., if the coordinator service is running under a service account instead of Local System) you must enter the IP address of the server where the coordinator resides.

Coordinator Port

If you selected the Global Catalog option and entered the IP address to override the coordinator server DNS, enter the port number assigned to the coordinator.

If you selected the Manual option, enter the port number assigned to the coordinator.

NOTE: You can obtain the port number assigned to a coordinator using the coordinator log file or Coordinator Status dialog (coordinator system tray icon).

Connection Profile Summary page: This page allows you to review the connection profile details, name your profile and test your new connection profile.

Profile Summary

This displays the settings defined within the wizard. The content depends upon the connection method selected. The information displayed may include:
Connection method
Coordinator
Port
SPN
Change Auditor coordinator server/instance

Connection Profile Name

Enter a descriptive name to assign to the new connection profile.

Test

Use to test the connection as defined in the connection profile.

Client components

Previous Next

Client components

The client contains the following main components:
Title Bar - is located across the top of the screen and displays the name of the forest and installation name to which you are currently connected.
Menu Bar - is located directly below the title bar and displays the menus for accessing Change Auditor commands. See Change Auditor Commands for a description of the menu bar commands.
File Menu - use the File Menu commands to connect to or disconnect from a coordinator, print the currently displayed content, open client logs, or exit the client.
Edit Menu - use the Edit Menu commands to manage your searches and folders on the Searches page.
Action Menu - use the Action Menu commands to refresh or reset a page, autofit columns, display the XML or SQL tabs, enable/disable the auto connect feature or enable/disable the desktop notification messages.
View Menu - use the View Menu commands to display a different Change Auditor page.
Help Menu - use the Help menu commands to display the online help, retrieve general information about this release, send feedback about using the product or collect system logs for troubleshooting purposes.
Tabbed Pages - are displayed below the menu bar and are used to navigate through Change Auditor. The pages that can be displayed, include:
The Start page to view and access relevant information regarding Change Auditor including news and updates, support and knowledge base content, online documentation (release notes and guide), links to the latest releases, and essential contact links.
The Deployment page to deploy, upgrade or uninstall agents from a single location.
The Overview page provides a real-time stream of events based on a ‘favorite’ search definition. It also contains statistics about the events and the status information for the agents and the coordinator.
The Searches page contains a list of all the searches available. From this page you can run a search, create a customized search, enable/disable alerting and reporting for a search query.
A new Search Results page is created whenever a search is run. These pages contain a list of the events returned as a result of the selected search. From this page, you can also view the details of an event or the search properties used to return the displayed events.
The Alert History page is displayed when the Alert | History right-click command is selected for an alert-enabled search definition on the Searches page and includes details regarding the events that triggered the selected alert.
A new Report page is created whenever the Preview Report tool bar button is used on the Report tab (Search Properties tabs) for a search query. The Report page displays a rendering of the events returned as a result of the selected search.
A new Log page is created whenever one of the View Logs commands are selected and displays the event details recorded in the selected log.
The Agent Statistics page displays status and statistics for all installed agents.
The Coordinator Statistics page displays status for all installed coordinators.
The Administration Tasks tab allows you to perform a variety of administration tasks. Use the navigation pane in the left-hand pane to select the administrative task to be performed. See Administration Tasks for an overview of the tasks that can be performed using the Administration Tasks tab and the product license required to perform these tasks.

Customize table content

Previous Next

Customize table content

The contents of the various data grids displayed in the client can be sorted, rearranged, and grouped.

Sort data
Resize or move columns
Add or remove columns
Group data
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级