Change Auditor Overview
Agent Deployment
Deployment page
Deploy agents
Change the agent installation location and system tray option
Enable auto deployment
Refresh or clear Deployment page information
Change Auditor Client Overview
Starting the Change Auditor client
Accessing Change Auditor news and updates
Managing connection profiles
Client components
Customize table content
Filter data
Directory object picker
Overview Page
Searches
Search Results and Event Details
Introduction
Search Results page
View search results
Preview search results
Compare results side-by-side
View event details or search properties
Copy event details
Email event details
Add comments
View user context and run related searches
Protect critical objects, mailboxes, files and folders
Add search properties to existing event queries
Custom Searches and Search Properties
Enable Alert Notifications
Introduction
Alert tab (Search Properties tabs)
Enable alerts
Disable alerts
Alert History page
View alert history
View event details or alert properties
Administration Tasks
Agent Configurations
Introduction
Agent Configuration page
Define agent configurations
Assign agent configurations to server agents
Enable event logging
Coordinator Configuration
Coordinator Configuration page
SMTP Configuration
Configure email alert notifications/reports
Customize alert email content
Shared Folder Configuration
Group Membership Expansion
Add groups to Group Membership Expansion list
Agent Heartbeat Check
Disconnect client after 30 minutes of inactivity
Scheduled Task Handling
Purging and Archiving your Change Auditor Database
Introduction
Planning your jobs
Purge and Archive page
Create and maintain jobs
Purge and Archive wizard
Purge selected records
Disable Private Alerts and Reports
Generate and Schedule Reports
Schedule reports for distribution
Launch Report Designer
Publish reports
Print or save a page's contents
SQL Reporting Services Configuration
Introduction
SQL Reporting Services Page
SQL Reporting Services Templates
SQL Reporting Services Wizard
Change Auditor User Interface Authorization
Introduction
Application User Interface Authorization page
Add task definition
Add role definition
Add application group
Remove a task definition
Client Authentication
Certificate authentication for client coordinator communication
Integrating with On Demand Audit
Enable/Disable Event Auditing
Introduction
Audit Events page
Enable/disable event auditing
Modify event's severity level or event class description
Define events to be captured based on results
View event information
Account Exclusion
Registry Auditing
Service Auditing
Agent Statistics and Logs
Introduction
Agent Statistics page
Agent system tray icon
View agent status/statistics
Manage Change Auditor agents
Agent Log page
View and save agent trace logs
Coordinator Statistics and Logs
Introduction
Coordinator Statistics page
Coordinator system tray icon
View coordinator status and statistics
Manage Change Auditor coordinators
Coordinator Log page
View and save coordinator trace logs
Change Auditor Commands
Change Auditor Email Tags
Who tab
The Who tab contains the following information and controls:
|
Select this check box to prompt for the ‘who’ criteria when this search runs. That is, when you select Run, the Select Active Directory Object dialog is displayed allowing you to locate and select the users, computers, or groups to search.d | |
|
Contains the individual users, computers and groups to include in the search (or excluded from the search if the Exclude the Following Selection(s) option is checked). |
|
1 |
On the Who tab, click Add to add an active user, computer, or group to the ‘who’ list. |
|
2 |
Click Add to add it to your selection list. |
|
3 |
After selecting one or more directory objects, click Select to save your selection and close the dialog. |
|
NOTE: You can use Add with Events (instead of Add) to select a user, computer, or group that already has an audit event associated with it in the database. The accounts available for selection are based on the ‘when’ clause (When tab) and the search limit (Info tab) specified for the current search.
Use this to search for events that are tied to users who have been removed from Active Directory. |
|
4 |
Optionally, select Add | Administrator, select Yes or No to include or exclude users with the Administrator right, and click OK. |
|
TIP: If you are running Active Roles or GPOADmin and want to include events generated by Active Roles or GPOADmin in the search, select the Include Event Source Initiator check box. For more information, see the Active Roles Integration or GPOADmin Integration sections in the Change Auditor Installation Guide. |
|
1 |
|
• |
For example, LIKE *admin* finds all users with the character string ‘admin’ anywhere in the name.
|
• |
|
NOTE: When using the Group option, the Group Membership Expansion option on the Coordinator Configuration page (on the Administration Tasks tab) must be set to Expand all groups. |
|
3 |
After entering the wildcard expression to use, click OK to close the dialog and add the wildcard expression to the ‘who’ list. |
What tab
|
• |
|
• |
Lists the entity (subsystem, event class, object class, severity, or result) selected. Expanding the Entity entry displays the specific criteria and any options or restrictions, defined as part of the search criteria.
Indicates whether the criteria is included in (False) or excluded from (True) the search definition.
|
|
1 |
|
NOTE: You can use the Add with Events | Event Class command (instead of Add | Event Class) to select an entity that already has an event in the database. |
|
2 |
On the Add Facilities or Event Classes dialog, select a single event, click Add, and select Add This Event or Add All Events in Facility. |
To do this, select the Filter by parameter check box and then select from the available parameter values that are enabled (for example, for the DNS Entry Type parameter, you can select Static and/or Automatically expiring).
|
4 |
|
• |
If the event has not been added to the Selections list box, click Add to add the event to the selection list. |
|
• |
If the event was previously added to the Selections list box, click Update Restriction to update the restrictions for the event. |
|
NOTE: You can also use the Shift and Ctrl keys to add multiple event classes to the selection list. However, the restrictions pane and the Add | Add All Events in Facility command are not available when multiple event classes are selected. |
|
NOTE: Select the Exclude the Above Selection(s) check box if you want to search for all event classes and facilities except those listed in the ‘what’ list. |
|
1 |
|
NOTE: You can use the Add with Events | Subsystem | Local Account command (instead of Add | Subsystem | Local Account) to select an entity that already has an event in the database. |
|
• |
All Objects - select this option to include all objects |
|
• |
This Object - select this option to include individual objects |
|
3 |
If you selected This Object, the data grid, which displays a list of all the users and groups in the local SAM databases on the selected Member Server, and associated buttons are enabled. |
|
4 |
To add an account, select the account in the data grid and click Add to add it to the selection list at the bottom of the dialog. Repeat to add more accounts. |
|
5 |
To replace an account in the selection list, select the ‘new’ account in the data grid, select the ‘old’ account in the selection list and click Update. The entry in the selection list is replaced with the ‘new’ account. |
|
6 |
To select a local account on a different computer, click Browse to the right of the Account field. On the Select Active Directory Object dialog, use the Browse or Search pages to locate and select another computer. |
|
7 |
Click Select to save your selection and close the dialog. |
|
NOTE: Select the Exclude the Above Selection(s) check box if you want to search for events generated by all local accounts except those listed in the ‘what’ list. |
|
NOTE: Registry auditing is only available when you have applied custom Registry Auditing templates that define the registry changes to be audited. See Registry Auditing for more information about capturing registry events. |
|
1 |
|
NOTE: You can use Add with Events | Subsystem | Registry (instead of Add | Subsystem | Registry) to select an entity that already has an event in the database. |
|
• |
All Registry Keys — include all registry keys |
|
• |
This Object — include only the selected objects |
|
• |
This Object and Child Objects Only — include the selected objects and its direct child objects |
|
• |
This Object and All Child Objects — include the selected objects and all subordinate objects (in all levels) |
|
3 |
By default, All Actions is selected meaning that all the registry actions listed are included in the search definition. However, you can clear the All Actions option and select individual actions for auditing. |
|
• |
All Actions — include all the actions. When this option is selected, all the other options are disabled. (Default) |
|
• |
Add Value — include when a new value is added to the selected registry key. |
|
• |
Delete Value — include when a registry key value is removed. |
|
• |
Modify Value — include when a registry key value is modified. |
|
• |
Add Key — include when a new registry key is added. |
|
• |
Delete Key — include when a registry key is removed. |
|
4 |
When a scope option other than All Registry Keys is selected, the registry key hierarchy is enabled allowing you to locate and select an individual registry key. |
Expand the hierarchy to locate and select a registry key. Then click Add to add it to the selection list box at the bottom of the dialog. Repeat to add more registry keys.
|
NOTE: If you selected Add With Events, the registry key hierarchy pane is replaced with a data grid listing the registry keys that have an event associated with it in the database. |
|
5 |
To replace a registry key in the selection list, select the ‘new’ registry key in the hierarchy, select the ‘old’ key in the selection list and click Update. The entry in the selection list is replaced with the ‘new’ registry key. |
|
6 |
To select a registry key on a different computer, click Browse to the right of the Path field. On the Select a Directory Object dialog, use the Browse or Search pages to locate and select another computer. |
|
7 |
Click Select to save your selection and close the dialog. |
|
NOTE: Select the Exclude the Above Selection(s) check box if you want to search for events in all registry keys except those listed in the ‘what’ list. |
|
NOTE: Service auditing is only available when you have applied custom Service Auditing templates that define the services to audit. See Service Auditing for more information about capturing service events. |
|
1 |
|
NOTE: You can use Add with Events | Subsystem | Service (instead of Add | Subsystem | Service) to select an entity that already has an event in the database. |
|
2 |
On the Add Service dialog, select one or more services from the list at the top of the dialog and click Add to move them to the selection list box at the bottom of the page. |
You can also click Add All to include all the listed services in the search definition.
|
3 |
To select services on a different computer, click Browse to the right of the You are viewing services on field. On the Select a Directory Object dialog, use the Browse or Search pages to locate and select another computer. |
|
4 |
Click Select to save your selection and close the dialog. |
|
NOTE: Select the Exclude the Above Selection(s) check box if you want to search for events to all services except those listed in the ‘what’ list. |
|
1 |
|
NOTE: You can use Add with Events | Severity (instead of Add | Severity) to select a severity that already has an event associated with it in the database. |
|
2 |
On the Add Severities dialog, select one or more severity levels and click Add to add them to the selection list box at the bottom of the dialog. |
|
NOTE: Select the Exclude the Above Selection(s) check box if you want to search for all events except those assigned a severity level that is listed in the ‘what’ list. |
|
NOTE: Select the Runtime Prompt check box on this dialog to prompt for a severity every time the search is run. When this check box is checked, the data grid and buttons on this dialog are disabled.
|
|
1 |
|
NOTE: You can use Add with Events | Result (instead of Add | Result) to select an entity that already has an event associated with it in the database. |
|
2 |
On the Add Results dialog, select one or more results (none, success, protected or failed) and use Add to add them to the selected list box at the bottom of the dialog. |
|
NOTE: Select the Exclude The Above Selection(s) check box if you want to search for all events except those with the selected result. |
|
NOTE: Select the Runtime Prompt check box on this dialog to prompt for a result every time the search is run. When this check box is checked, the data grid and buttons on this dialog are disabled.
|
Where tab
The Where tab contains the following information and controls:
|
Select this check box to prompt for the ‘where’ criteria whenever the search is run. That is, when Run is selected, the Select Active Directory Objects dialog is displayed allowing you to locate and select the agents, domains, or sites to include in the search definition. | |
|
By default, all agents are included in a new search and therefore this list box is initially empty. Once criteria is selected, this list box contains the agents, domains, sites, and server type (if specified) to include in the search (or exclude from the search if the Exclude the Following Selection(s) option is checked). |
|
1 |
|
3 |
Click Add to add your selection to the selection list box at the bottom of the page. |
|
NOTE: You can use Add With Events (instead of Add) to select an agent, domain, or site which already has an event associated with it in the database. |
|
1 |
|
• |
For example, LIKE *local finds all agents with a NetBIOS name that ends in ‘local’.
|
• |
|
3 |
After entering the wildcard expression to use, click OK to close the dialog and add the wildcard expression to the ‘where’ list. |
|
1 |
|
3 |
Click OK to close the dialog and add the server type to the ‘Where’ list. |
When tab
|
Select this check box to prompt for the date and time interval whenever the search is run. That is, when Run is selected, the When dialog is displayed allowing you to specify the date and time range to be used in your search. | |||||||
|
Select this check box and enter the date range.
| |||||||
|
Select this check box and click the arrow control to select the appropriate date and time interval:
| |||||||
|
Use this pane to specify a time range to further limit your search. | |||||||
|
Use the arrow controls to select or enter the starting time for your time range. Only events that occurred at or after this time are included in the search. | |||||||
|
• |
From/To - select this option and enter the date range to use. |
|
• |
Last - select this option and the appropriate relative date and value (that is, number of minutes, hours, days, weeks, months, quarters, or years). |
|
• |
This - select this option and click the arrow control to select the appropriate time interval (that is, Day, Week, or Month). |