Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

ChangeAuditor Admin Guide

advertisement 
ChangeAuditor
™
Administrator’s Guide
CA-AG-0808-470
Copyright © 2008 NetPro Computing, Inc.
Disclaimer
NetPro Computing, Inc. (NetPro) makes no representations or warranties, either expressed or implied, with
respect to the adequacy of this documentation or the programs which it describes in regard to fitness for any
particular purpose or with respect to its adequacy to produce any particular result. The computer programs and
documentation are sold “as is”, and the entire risk as to quality and performance is with the buyer. In no event shall
NetPro be liable for special, direct, indirect or consequential damages resulting from any defect in the programs,
documentation or software. Some states do not allow the exclusion or limitation of implied warranties or liability for
incidental or consequential damages, in which case the above limitations and exclusions may not apply to you.
Proprietary Rights
NetPro has prepared this document for use by NetPro personnel, agents, licensees and customers. The
information contained in this document is the property of NetPro. You may not reproduce, translate, or transmit it
in any form or by any means, electronically or mechanically, without prior written permission from NetPro.
Disclaimer of Liability
NetPro makes no representation or warranties of any kind, either expressed or implied, with respect to the
contents of this manual, including but not limited to typographical errors and technical completeness, NetPro
reserves the right to revise this publication and to make changes in its content without obligation to notify any
person of such revision or changes.
Trademarks
NetPro Computing and NetPro are registered trademarks and ChangeAuditor and the NetPro logo are trademarks
of NetPro Computing, Inc.
Microsoft, Windows NT, Windows 2000, Windows Server 2003, Windows Server 2008 and Active Directory are
either registered trademarks or trademarks of Microsoft Corporation.
Other product names mentioned in this manual may be trademarked: they are used for identification purposes
only.
Document Revision History
CAAD-AG-0604-100
June 2004
ChangeAuditor 1.0
CAAD-AG-1204-200
December 2004
ChangeAuditor 2.0
CAAD-AG-0605-250
June 2005
ChangeAuditor 2.5
CAAD-AG-0905-260
September 2005
ChangeAuditor 2.6
CAAD-AG-0306-300
March 2006
ChangeAuditor 3.0
CA-AG-0706-330
July 2006
ChangeAuditor 3.3
CA-AG-0906-340
September 2006
ChangeAuditor 3.4
CA-AG-1206-350
December 2006
ChangeAuditor 3.5
CA-AG-0607-400
June 2007
ChangeAuditor 4.0
CA-AG-0807-410
August 2007
ChangeAuditor 4.1
CA-AG-1107-420
November 2007
ChangeAuditor 4.2
CA-AG-0308-450
March 2008
ChangeAuditor 4.5
CA-AG-0508-460
May 2008
ChangeAuditor 4.6
CA-AG-0808-470
August 2008
ChangeAuditor 4.7
NetPro Computing, Inc.
Corporate Office
4747 N. 22nd Street, Suite 400
Phoenix, Arizona 85016 USA
Telephone
FAX
Email
Internet
602 346 3600
602 346 3610
info@netpro.com
http://www.netpro.com
Sales
USA and Canada
International
800 998 5090
+1 602 346 3630
Worldwide Technical Support
USA
USA (Toll Free)
Germany
UK
France
Australia
1 602 346 3670
1 866 9 NETPRO
0800 180 2577
0 0800 047 0197
0800 917881
1 800 773 850
Email
support@netpro.com
ChangeAuditor
i
Table of Contents
Chapter 1: Introduction - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1
ChangeAuditor Benefits - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2
ChangeAuditor Features - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 3
What’s New in 4.x- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6
System Overview - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 9
What’s in this Manual - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 11
How to Get Additional Help - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 13
Chapter 2: ChangeAuditor Client Overview - - - - - - - - - - - - - - - - - - - - - - - - -15
Starting the Client - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 16
Managing Connection Profiles - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 18
Credentials Required Dialogs- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 24
Client Components - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 26
Using the Object Picker - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 38
Customizing Table Content - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 44
Filtering Data - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 46
Filtering Data in Expanded Views - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 47
Chapter 3: ChangeAuditor Overview and Agent Statistics Pages - - - - - - - -49
Overview Page - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 49
Agent Statistics Page - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 57
Chapter 4: Searches and Alerts - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -61
Viewing a List of Available Searches - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 62
Creating New Custom Searches - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 62
Running Searches - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 63
Running a Quick Search - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 64
Setting a Favorite Search - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 64
Enabling/Disabling Alerts- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 65
Viewing Alert History - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 68
Searches Page - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 69
Search Properties - Who Tab Dialogs - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 96
Search Properties - What Tab Dialogs - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 98
Search Properties - Where Tab Dialogs - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 129
Search Properties - Alert Tab Dialogs - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 131
Alert History Page - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 133
Table of Contents
ii
ChangeAuditor
Chapter 5: Search Results - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 135
Viewing Results - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Viewing Event Details or Search Properties - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Previewing Search Results - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Comparing Results Side-by-Side - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Printing Search Results - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Search Results Page - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
136
137
138
139
140
141
Chapter 6: Custom Active Directory Auditing - - - - - - - - - - - - - - - - - - - - - 153
Enabling/Disabling Event Auditing- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Audit Events Page - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Custom Active Directory Object Auditing- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Active Directory Auditing Page - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Audited Active Directory Object Wizard - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Custom Attribute Auditing - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Attribute Auditing Page - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Member of Group Auditing- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Member of Group Auditing Page - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
154
155
157
158
160
162
163
165
165
Chapter 7: Exchange Mailbox Auditing - - - - - - - - - - - - - - - - - - - - - - - - - - 167
Defining Exchange Mailbox Auditing List- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 168
Exchange Mailbox Auditing Page- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 169
Chapter 8: File System Auditing - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 171
Creating File System Auditing Templates- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - File System Auditing Page - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - File Auditing Wizard- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - File Auditing Configuration Dialog - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
172
175
177
185
Chapter 9: Registry Auditing - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 187
Creating Registry Auditing Templates - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Registry Auditing Page - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Registry Auditing Wizard - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Registry Auditing Configuration Dialog - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
188
190
192
195
Chapter 10: SQL Server Auditing - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 197
Creating SQL Server Auditing Templates - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - SQL Server Auditing Page - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - SQL Auditing Wizard - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - SQL Auditing Configuration Dialog - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
198
200
202
205
Chapter 11: Account Exclusion - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 207
Creating Excluded Accounts Templates- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Excluded Accounts Page - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Excluded Accounts Wizard - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Account Exclusion Configuration Dialog - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
208
209
212
214
Chapter 12: Agent Configurations - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 217
Defining Agent Configurations- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Assigning Agent Configurations to Agents - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Agent Configuration Page - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Configuration Setup Dialog - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Table of Contents
218
219
219
221
ChangeAuditor
iii
Chapter 13: Repository Configuration - - - - - - - - - - - - - - - - - - - - - - - - - - - -229
Configuring Email Notifications - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Customizing Email Content - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - SMTP Configuration Pane - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Group Membership Expansion Pane - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
229
230
231
237
Chapter 14: Database Maintenance - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -239
Defining Database Maintenance Activities - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 240
Database Maintenance Page - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 241
Database Maintenance Wizard - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 243
Chapter 15: Generating and Publishing Reports - - - - - - - - - - - - - - - - - - - -247
Generating/Viewing Reports through the ChangeAuditor Client - - - - - - - - - - - - - - - - - Report Options Dialog - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Report Page - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Publishing Reports to SRS- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Create Report Dialog - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Reporting Services Setup Dialog - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
248
249
250
252
253
254
Appendix A: ChangeAuditor Email Tags - - - - - - - - - - - - - - - - - - - - - - - - - -257
Appendix B: System Tray Icons - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -259
Repository System Tray Icon - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 260
Agent System Tray Icon - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 267
Appendix C: Disabled Events - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -273
Index - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -279
Table of Contents
ChangeAuditor
1
Chapter 1: Introduction
ChangeAuditor provides total auditing and security coverage for Microsoft Infrastructure
including Active Directory, File System, Exchange and SQL Server. ChangeAuditor audits the
activities taking place in your infrastructure and, with real-time alerts, delivers detailed
information about vital changes and activities as they occur. Instantly know the Who, What,
When, Where and Why of every change, plus the original and current values. Then
automatically turn that information into intelligent, in-depth forensics for auditors and
management -- and reduce the risks associated with day-to-day modifications.
• Audit all critical changes across your Microsoft environment including Active Directory,
File System, Exchange and SQL Server.
• Automate ongoing compliance with tracking and reporting for compliance initiatives like
SOX, HIPAA, GLBA and frameworks/standards such as COBIT, ISO 17799, FISMA and
SAS 70.
• Speed troubleshooting through real-time insight into changes with a comprehensive
audit library including built-in audit alerts, reports and powerful searches.
• Modular approach allows separate product deployment and management for key
environments including Active Directory, File System, Exchange and SQL Server.
ChangeAuditor for Active Directory
ChangeAuditor for Active Directory drives the security and control of Active Directory by
tracking all AD configuration changes in real-time. From GPO and Schema to critical group
and operational changes, ChangeAuditor tracks, audits, reports and alerts on the changes
that impact your directory - without the overhead of native auditing. With ChangeAuditor for
Active Directory, you’ll get the ‘5 Ws’ of change - including who, what, when, where and
why - and you’ll also capture details on previous and new change values.
ChangeAuditor for File System
ChangeAuditor for File System enables administrators to achieve the comprehensive
auditing coverage of native tools without the mass of cumbersome data that native event
logs generate. Granular selection allows the auditing scope to be set on an individual file
or folder as well as the entire subtree recursive or non-recursive. ChangeAuditor for File
System also allows you to include or exclude certain files or folders from the audit scope in
order to ensure a faster and more efficient audit process.
Introduction
2
ChangeAuditor
ChangeAuditor for Exchange
ChangeAuditor for Exchange proactively audits the activities taking place in your entire
Exchange environment, then provides real-time, detailed alerts about vital changes that
occur. Continually being in-the-know helps you to prove compliance, drive security, and
improve uptime while proactively auditing changes to Exchange Server configurations and
permissions.
ChangeAuditor for SQL
ChangeAuditor for SQL provides database auditing to secure SQL database assets with
extensive, customizable auditing and reporting for all critical SQL server changes including
broker, database, object, performance, and transaction events, plus errors and warnings.
ChangeAuditor for SQL helps tighten enterprise-wide change and control policies by
tracking user and administrator activity such as database additions and deletions, granting
and removing SQL access, etc.
With 24x7 real-time alerts and in-depth analysis and reporting capabilities, your infrastructure
is always protected from exposure to suspicious behavior or unauthorized access and kept in
compliance with corporate and government standards.
ChangeAuditor Benefits
Armed with ChangeAuditor and the change details it provides, companies can address
unauthorized changes before they impact the security of the network environment. They can
increase network service levels and reduce system degradation and downtime, driving the
productivity of users by using ChangeAuditor to troubleshoot issues. Further, ChangeAuditor
automates time consuming measurement and reporting tasks necessary to remain compliant
with industry regulations. The following bullet points highlight the key benefits of using
ChangeAuditor:
• Ensures a secure and compliant networking environment by tracking all critical Active
Directory, Exchange, File System and SQL Server changes in real time.
• Enables enterprise-wide change management from a single client, providing the Who,
What, Where, When and Why - in plain English, plus before and after values.
• Speeds troubleshooting through real-time insight into changes with a comprehensive
audit library including built-in audit alerts, reports and powerful searches.
• Rapid deployment, coupled with ease of use and built-in knowledge base, enables rapid
deployment across an enterprise - in days versus weeks.
• Automates procedures to continually track and report on compliance initiatives such as
SOX, HIPAA, GLBA and frameworks/standards such as COBIT, ISO 17799, FISMA or
SAS 70.
• Drives availability and speeds Mean-Time-to-Repair by enabling proactive
troubleshooting.
• Alert when audit event patterns cause potential security risks with analysis of auditing
data from multiple sources, proactive alerts, and intelligent audit event correlation.
• Enables streamlined Windows management through integration with Microsoft
Operations Manager (MOM) and Microsoft System Operation Manager (SCOM).
Introduction
ChangeAuditor
3
ChangeAuditor Features
ChangeAuditor offers complete real-time change management to ensure a secure and
controlled network. From raw data to intelligent, meaningful knowledge on the activities taking
place in your environment, ChangeAuditor tells you the Who, What, Where, When and Why of
each and every change as they occur. You can then turn that information into intelligent,
detailed reports for auditors and management, driving security and demonstrating compliance
throughout your enterprise. The following paragraphs explain some of the key features
available in ChangeAuditor:
Provides real-time auditing and reporting on all critical changes to Active Directory, File
Systems, Exchange and SQL Server
ChangeAuditor provides extensive, customizable auditing and reporting for all critical
configuration changes to Active Directory. You’ll get in-depth forensics on Who, What,
When, Where and Why, plus the original and current values for all changes.
With additional modules for File System, Exchange and SQL, ChangeAuditor gives you the
power to audit your Windows network’s most visible and business-critical applications - all
from a single client. With ChangeAuditor for File Systems, you can centralize the creations,
deployment and enforcement of file system auditing throughout your entire enterprise. With
ChangeAuditor for Exchange, you can detect the exact nature and location of changes to
your Exchange environment, including administrative groups, distribution lists, permission
tracking and security groups. ChangeAuditor for SQL provides auditing and reporting for all
critical SQL server changes, including broker, database, object, performance, and
transaction events, plus errors and warnings.
Details the Who, What, Where, When and Why, plus original and current values for all
changes -- translated in plain English
ChangeAuditor helps you to understand exactly what type of change occurred and the most
critical details about each change. ChangeAuditor identifies changes to critical components
of the environment as they occur and provides the following information for each change:
•
Who made the change
•
What object was changed, including both the old and new values
•
Where the change was made from (on which DC or member server)
•
When the change was made
•
Why the change was made
Extends audit visibility beyond native logs with coverage for Group Policy Objects and
nested groups
Many administrators extend the functionality of Group Policy Objects (GPOs) by creating
administrative templates. However, the native windows auditing capability provided today
provides no visibility into GPO setting changes or Administrative Template modifications.
ChangeAuditor includes auditing and capabilities for Group Policy Administrative
Templates, enabling customers to collect all the forensic information for audited events.
Introduction
4
ChangeAuditor
Enables intelligent event consolidation and correlation
Once ChangeAuditor captures an audited event, it provides several flexible ways to
generate meaningful reports. All audited event information is displayed in ChangeAuditor’s
Client and its ‘built-in’ reports provide views for the most common and complex requests.
You can view configuration changes from a variety of perspectives. For example, you can
view all changes at a particular site. You can view changes made during a specific time
frame. Or, you can see the changes performed by a particular administrator. You can even
run detailed searches based on user-defined criteria and customize the report templates to
fit the needs of your organization.
Audits all critical group and registry changes for any service running on a Domain Controller or File Server
ChangeAuditor detects when a member is added or removed from one of the following
critical system groups: Server Operators, Print Operators, Network Configuration
Operators, Incoming Forest Trust Builders, Backup Operators, Administrators, Account
Operators, Cert Publishers, DHCP Administrators, Domain Admins, Domain Controllers,
Enterprise Admins, Group Policy Creator Owners, RAS and IAS Servers, and Schema
Admins.
Integrates with SQL Reporting Services (SRS) for streamlined report generation and
automated delivery
IT organizations need a robust auditing and reporting solution that produces customized
reports with convenient delivery options. By adding support for Microsoft’s SQL 2005
Reporting Services, ChangeAuditor provides a comprehensive, server-based solution that
enables the creation, management, and delivery of both traditional paper and interactive
web-based reports. In this implementation, auditors, security officers and administrators do
not need to traverse the various auditing solutions to create their desired reports. Instead
these users will interact with a web-based reporting portal and simply subscribe to the
reports they want to see consistently. For example:
•
The security administrator generates a report containing all login activity for the
past 24 hours sorted by domain and then by domain controller.
•
Using ChangeAuditor and SQL Reporting Services, the enterprise administrator
simply creates the desired search criteria and exports the report to a website.
•
The security administrator then simply subscribes to the desired report and the
data is delivered to his desktop.
Dispatches instant change alerts, as well as ‘Smart Alerts’ based on event patterns
ChangeAuditor can generate alerts when certain kinds of configuration changes occur.
These alerts appear in the ChangeAuditor Client and are then dispatched to designated
recipients via email (SMTP), SNMP traps or WMI events.
Smart Alert Technology provides intelligent audited event correlation by notifying
administrators when audited event patterns cause potential security risks. Administrators
can customize the Smart Alerts to match their security policies.
Introduction
ChangeAuditor
5
Smart Alert Technology Example: Organizations need to analyze audit data from multiple
sources and receive proactive alerts to certain security risk conditions. Likewise, security
administrators are responsible for protecting the enterprise against malicious attacks.
ChangeAuditor alerts on correlated events in near real time, so if, for example, a privileged
account is attempting to log on with a bad password at multiple machines within a
predetermined time period, a proactive alert can be generated.
Features an extensive reporting library for compliance, security and operations
Organizations need to quickly produce reports to demonstrate fulfillment of each section of
the regulations they are required to comply with. For instance, the auditor may need audit
data to help him comply with Sarbanes-Oxley Section 404 Management Assessment of
Internal Controls, Acquisition and Implementation, AI6 - Manage changes. By using the
appropriate built-in search for that section of Sarbanes-Oxley, the auditor can easily select
the date range and generate the data. Additional, built-in reports have been added to
support many of the compliance regulations, including:
•
Sarbanes-Oxley
•
SAS 70
•
HIPAA
•
GLBA
•
ISO 17799
•
FISMA
Captures all AD attributes with granular selection criteria for auditing and reporting
Organizations have and will continue to extend the Active Directory schema. As
applications leverage content stored in Active Directory to render web pages or grant
access to web services, it is important to be able to audit changes to these extended
schema attributes. ChangeAuditor will track changes to these attributes in real-time, and it
will also provide an intuitive interface to select the desired attributes while matching the
appropriate severity level and description.
Includes MOM (Microsoft Operations Manager) Management Pack for centralized alerting and analysis
ChangeAuditor includes an extremely efficient and robust MOM Management Pack which
can be configured to complement MOM and send the ChangeAuditor audited events and
alert information on the MOM console. ChangeAuditor aims to complement and extend the
functionality of unattended monitoring solutions such as MOM.
Introduction
6
ChangeAuditor
What’s New in 4.x
ChangeAuditor includes a host of new features and important enhancements that are based,
in large part, on customer feedback. These enhancements are reflected in all aspects of the
product, including the File System, Exchange and SQL modules. The following feature
descriptions provide details about each new feature and core benefits added to ChangeAuditor
since 4.0.
Extensible Object Auditing
ChangeAuditor provides a simplified view of the history of Active Directory changes that is
unparalleled in the industry. It also provides powerful flexibility for dynamically auditing a
vast amount of changes, including Active Directory, Windows Registry, and Windows File
System changes. And it delivers all of this information in ‘plain English,’ ensuring that
interpretation of the information can be fast and efficient for the Administrator, regardless
of how far reaching or dynamic the data is.
ChangeAuditor 4.x provides more flexibility and agility in what users audit, more
comprehensive coverage of audited events, and more dynamic information delivered in
clear English translation. Administrators will not sacrifice quality of output for quantity of
data, as ChangeAuditor now ensures that Administrators get it all.
Local User and Group Auditing on Member Servers
ChangeAuditor adds extensive auditing coverage for User and Group auditing on member
servers by adding over 45 new events for auditing users and groups on member servers.
Changes to local users and groups can dramatically impact security and business
continuity by providing additional unauthorized access, or removing required access.
ChangeAuditor’s expanded Local User and Group auditing ensures that administrators can
track, alert, and identify these changes, providing unprecedented visibility into the changes
that are made and the impact those changes have on the environment.
DNS Auditing
DNS-related changes have long been the top cause of Active Directory problems. When
DNS issues crop up, they often take weeks or months to populate and manifest, and often
Administrators are unaware of their evolution over time until they degrade service to a point
of interruption. ChangeAuditor 4.x features new DNS service and AD integrated DNS Zone
audited events, including the ability to audit DNS record changes to ensure that expanded
auditing and alerting of DNS prevents issues from escalating.
Service Auditing
Windows Services are the backbone of applications and require frequent administrator
actions. Changes can be simple, such as changing a startup type or service account
password. But, even a simple change can cause major issues. In fact, in this case it would
render an application useless to its users. That’s why ChangeAuditor 4.x includes
enhancements to its services auditing capabilities, including the ability to track who starts
and stops the service.
Introduction
ChangeAuditor
7
Registry Auditing
The ability to audit registry settings improves operational efficiency dramatically. For
example, some applications such as virus scanning software modify registry keys when an
update is installed. By capturing these change events proactively, Administrators can
determine whether or not specific machines received an update.
Furthermore, other applications may warrant tracking modifications to certain registry
settings to ensure that they have not been tampered with. ChangeAuditor’s enhanced
registry auditing feature allows Administrators to audit changes to a specific key or a key
and its sub keys by adding 11 new registry auditing events.
Database Maintenance Wizard (Archive and Purge)
The new database maintenance wizard includes both purge and archive options, providing
Administrators with several options to perform both interactive and scheduled purge and/
or archive actions.
With automated database maintenance, Administrators can now keep their critical and
relevant audit data online while archiving older data to an archive database. Audited events
that are no longer required can be purged from the production database to keep it trim and
current. This feature not only reduces storage space requirements for audit data, but it
increases overall operational efficiency by speeding up searches and data retrieval from
the database.
Pre-Packaged SRS Reports
ChangeAuditor includes SRS reports that can be run from the ChangeAuditor client for the
convenience of the Administrator and his/her manager. This reporting flexibility allows
organizations to granularly discern which Business Units see which types of data and also
to set custom criteria for the types of information shared in the report. For example,
Administrators could pull reports highlighting how many times a particular event or category
of events occurred in the last 30 days or provide a more detailed accounting to articulate
who made the changes, how many times, and the before and after values associated with
those changes. Whether for operations insight or security reporting for management,
ChangeAuditor provides user-friendly reports that streamline reporting to meet any
requirement.
High Security Agents with Anti-Tampering
ChangeAuditor provides unprecedented peace of mind by providing a watchful eye at all
times. But, even with the implementation of an auditing tool, there still remains the question
of, ‘What can be done to circumvent the solution? And is it really fool-proof?”
ChangeAuditor’s high security agents with anti-tampering raise the bar, preventing the
agent from being stopped by unauthorized users sitting at the console. So now, standard
actions, such as ‘Stop Service’, ‘End Task’, or ‘Task Kill’ will not stop the agent from
gathering the audit data that’s required. Rather, to unload the high security agent, the user
will have to be on an authorized list to issue a stop command. Then when the agent is
stopped, the solution immediately logs an event within ChangeAuditor regarding exactly
who stopped and agent and when.
Introduction
8
ChangeAuditor
Preview Search/Alert Results
NetPro conducted several usability studies and found that customers modify a search/alert
three times on the average. To reduce the time required for dialog reopens, we have moved
the criteria definition in-line with the results. This modification enables Administrators to
preview and modify the results without having to close and reopen multiple dialogs as in
the past.
Alert Enabled Searches
Previous versions of ChangeAuditor provided custom searches and alerts, but we found
that many customers were duplicating efforts by building searches that matched defined
alerts already included in the product and every time they modified one, they were
duplicating their search efforts. In ChangeAuditor 4.x, searches and alerts are a single item
and each search can be alert-enabled such that a single item provides dual value and
single point of management.
Side-by-Side Results Compare
Previous versions of ChangeAuditor had a single refresh interval for all searches. With
version 4.x, Administrators can run two searches side-by-side simultaneously. In a data
center or NOC operation model, Administrators could have one search showing all events
while another parallel search focusing on critical changes such as Group Policy or
Enterprise level changes both on the same screen running at separate refresh intervals.
Customizable Overview Page
The goal of the Overview Page is to provide users with instant access to valuable
information about the application. ChangeAuditor now provides customizable views on the
Overview Page to highlight application details based on the preference of the user. For
example, Administrators can set a real-time stream based on existing user-defined search.
It’s as simple as creating and saving a search as a favorite and customizing the Overview
Page to highlight that preferred view.
More Agent Statistics Available in Client
Agent statistics have always been available for each ChangeAuditor Agent. However, in
order to access the statistics, the user was required to be on the agent machine. Based on
the most common usage, the new ChangeAuditor makes the most commonly requested
statistics available from the ChangeAuditor Client, including everything from unsent events
and uptime to security mode details.
File System Auditing
ChangeAuditor for File System 4.x offers expanded File System coverage to include
auditing whenever a file or folder is read or opened. Granular selection allows the auditing
scope to be set on an individual file or folder as well as the entire subtree recursive or nonrecursive. The new wizard also allows Administrators to include or exclude certain files or
folders from the audit scope in order to ensure a faster and more efficient audit process.
Exchange Auditing
The ChangeAuditor for Exchange module has expanded its Exchange coverage to
proactively audit the activities taking place in your entire Exchange environment.
Introduction
ChangeAuditor
9
SQL Server Auditing
New in ChangeAuditor 4.5, the ChangeAuditor for SQL module provides database auditing
to secure SQL database assets with extensive, customizable auditing and reporting for all
critical SQL Server changes including broker, database, object, performance, and
transaction events, plus errors, warnings and more. ChangeAuditor 4.6 provides even
more SQL Server auditing including events such as drop database, adding logins to server
roles, database deletions, and audit add login and adding members to database roles.
SCOM Management Pack
With the release of ChangeAuditor 4.5, ChangeAuditor’s centralized alerting and analysis
has been expanded to allow audit events to be sent and managed via the SCOM console.
Local Exchange Auditing Covering Owner and Non-Owner Mailboxes
ChangeAuditor 4.6 provides information on administrators and users who have gained
access into another users’ mailbox, allowing organizations to quickly learn who accessed,
deleted, copied, moved or created emails from that mailbox. ChangeAuditor now provides
in-depth auditing and tracking of owner mailboxes to ensure internal policies are being met.
Clustered Configurations Support
With the release of ChangeAuditor 4.6, ChangeAuditor now supports clustered
configurations for Exchange 2000, 2003 and 2007. Microsoft clustered services are now
fully supported for File System, SQL and Exchange auditing.
Member of Group Auditing
With the release of ChangeAuditor 4.7, ChangeAuditor can now audit individual users
based on their group membership instead of the default which is to audit all users.
System Overview
ChangeAuditor is based on a three component architecture model consisting of a Client,
Repository and Agent(s). The basic overall operation of ChangeAuditor is quite simplistic:
• A ChangeAuditor Agent (a.k.a. NetPro Compliance Agent) is deployed to all servers
(domain controllers and member servers), tracking configuration changes in real-time.
When a change is made on a server running an agent, the change information (audited
event) is captured by the agent and is forwarded to the ChangeAuditor Repository.
• The ChangeAuditor Repository collects these audited events from the agent(s) and
stores them in a SQL database. The ChangeAuditor Repository is also responsible for
fulfilling client requests. ChangeAuditor allows you to install multiple repositories in a
single forest.
• The ChangeAuditor Client connects directly to the ChangeAuditor database and is the
user interface that provides immediate access to key configuration change information.
From the ChangeAuditor Client, you can execute searches, define customized searches
to return specific events, view the search results, perform various administrative tasks
including scheduling database maintenance, view agent statistics, etc.
• In addition, based on user-defined criteria, ChangeAuditor can dispatch instant change
alerts to administrators via email (SMTP), SNMP or WMI events.
Introduction
10
ChangeAuditor
NOTE: The Direct SQL Connection option is selected by default and instructs NetPro
Compliance Agents to forward its audited events directly to the SQL database, rather
than going through the ChangeAuditor Repository service. This is the recommended
connection method for increased performance in high volume audit event
environments. However, using this option requires the appropriate Microsoft SQL
licensing. This setting can be changed using the Configuration Setup dialog from
within the ChangeAuditor Client (Agent Configuration page on the Administration
Tasks tab).
Introduction
ChangeAuditor
11
What’s in this Manual
This manual assumes you have a working knowledge of Active Directory. It consists of the
following chapters:
Introduction
This chapter introduces the ChangeAuditor product, listing what’s new in this release,
highlighting its key features and benefits and providing a system overview of the product.
It also describes the contents of this manual and information on obtaining additional
assistance from NetPro.
Client Overview
Chapter 2 describes the layout of the client and the commands and pages used to perform
the various auditing functions available through the ChangeAuditor Client. This chapter
also explains how to start the client and manage connection profiles.
ChangeAuditor Overview and Agent Statistics Pages
Chapter 3 describes the Overview and the Agent Statistics pages, which provide current
information and statistics about ChangeAuditor and the agents running ChangeAuditor.
Searches and Alerts
Chapter 4 explains how to use the Searches page to create custom searches, run
searches, enable alerting and view alert history. In addition, this chapter provides a detailed
description of the Searches page, its components (including the Search Properties tabs),
as well as the commands and additional dialogs that can be accessed through this page.
Search Results
Chapter 5 provides a detailed description of a Search Results page and the various tasks
that can be performed from this page, such as viewing results, viewing event details,
previewing search results, comparing results side-by-side, and printing the search results.
It also provides a detailed description of all the components on a Search Results page.
Custom Active Directory Auditing
Chapter 6 covers the custom auditing features available through the Administration Tasks
tab, including how to customize auditing for Active Directory objects and schema attributes,
how to limit user object class auditing to users based on their group membership, and how
to enable or disable event auditing and modify an event’s severity level or event class
description. This chapter also provides a detailed description of the Audit Events, Active
Directory Auditing, Attribute Auditing and Member of Group Auditing pages as well as the
tasks that can be performed using these pages.
Exchange Mailbox Auditing
Chapter 7 provides instructions on how to create an Exchange Mailbox auditing list which
defines what directory objects’ mailbox activities are to be audited by ChangeAuditor. It also
provides a description of the Exchange Mailbox Auditing page.
NOTE: Exchange auditing is only available if you have licensed the ChangeAuditor for
Exchange add-on module. Please contact your NetPro sales representative for
more information.
Introduction
12
ChangeAuditor
File System Auditing
Chapter 8 provides instructions on how to create File System Auditing templates to define
the file(s)/folder(s) and operations to be audited. It also provides a detailed description of
the File System Auditing page, File Auditing wizard and File Auditing Configuration dialog.
NOTE: File System auditing is only available if you have licensed the ChangeAuditor for
File System add-on module. Please contact your NetPro sales representative
for more information.
Registry Auditing
Chapter 9 provides instructions for creating Registry Auditing templates to define the
registry key(s) and value(s) to be audited. It also provides a detailed description of the
Registry Auditing page, Registry Auditing wizard and Registry Auditing Configuration
dialog.
SQL Server Auditing
Chapter 10 provides instructions for creating SQL Server Auditing templates to specify the
SQL instance(s) and events to be audited. It also provides a detailed description of the SQL
Server Auditing page, SQL Auditing wizard, and SQL Auditing Configuration dialog.
NOTE: SQL Server auditing is only available if you have licensed the ChangeAuditor for
SQL add-on module. Please contact your NetPro sales representative for more
information.
Account Exclusion
Chapter 11 provides instructions on how to create Excluded Accounts templates to define
the user or computer accounts that are to be excluded from the auditing process. It also
provides a detailed description of the Excluded Accounts page, Excluded Accounts wizard,
and Account Exclusion Configuration dialog.
Agent Configuration
Chapter 12 describes the agent configuration tasks that can be performed, such as defining
and assigning agent configurations to agents, from the Agent Configuration page on the
Administration Tasks tab. It also provides a detailed description the Agent Configuration
page and the Configuration Setup dialog.
Repository Configuration
Chapter 13 provides a detailed description of the Repository Configuration page on the
Administration Tasks tab and the tasks that can be performed from that page, e.g.,
configuring email for receiving change alerts and defining the schedule for expanding
nested membership of groups referenced in Searches or defined in the Member of Group
feature.
Database Maintenance
Chapter 14 walks you through the Database Maintenance wizard, which is accessed
through the Database Maintenance page, to define the maintenance activities to be
performed and to schedule maintenance.
Introduction
ChangeAuditor
13
Generating and Publishing Reports
Chapter 15 explains how to generate and view the SRS rendering of audited events
returned for a search or built-in report through the ChangeAuditor Client. It also explains
how to create reports that can be published to and accessed from SQL Server Reporting
Services (SRS).
Appendix A: ChangeAuditor Email Tags
Appendix A provides a list of the email tags used in the Alert Body Setup dialog to define
the main body and event details to be included in alert emails.
Appendix B: System Tray Icons
Appendix B describes the system tray icons available for the repository and agent, which
can be used to enable/disable the service and display the current status of the service. It
also explains the Database Configuration utility which can also be accessed through the
repository system tray icon.
Appendix C: Disabled Events
Appendix C provides a complete list of the event classes (and the ChangeAuditor facility to
which they belong) that are disabled by default in ChangeAuditor.
Index
The Index provides an alphabetical subject listing for the contents of this manual.
How to Get Additional Help
NetPro offers a variety of ways to get additional help:
• My.netpro.com enables you to perform many tasks that you may have once conducted
with the help of a NetPro representative.
• 24x7 Technical Support is available through an annual Software Maintenance
Contract.
• NetPro Professional Services offers a range of professional services to help you
through every stage of your technology lifecycle.
My.netpro.com
NetPro’s customer portal site enables you to perform many tasks that you may have once
conducted with the help of a NetPro representative. Now, you can do them all on the customer
section of our website -- https://my.netpro.com.
My.netpro.com was designed to provide you with the best possible service and deliver it
conveniently and quickly -- when you need it. Here’s what you can do on my.netpro.com:
• submit and update support incidents
• view your product purchases
• view your maintenance purchases
• subscribe and/or unsubscribe from NetPro’s news list(s)
• request product information and literature
• request product evaluation software
Introduction
14
ChangeAuditor
• search our technical support knowledge base
• sign up to participate in the NetPro Beta Program
https://my.netpro.com is a completely secure site and you will need login credentials to access
the area each time you visit. On your first visit, you will create the credentials to be used every
time you return to the site.
24x7 Live Technical Support
NetPro offers industry-leading technical support every business day throughout North America
and Europe. NetPro’s qualified support technicians can be reached at the addresses and
numbers listed below:
NetPro
4747 N. 22nd Street, Suite 400
Phoenix, Arizona (USA) 85016
U.S.: 1 602 346 3670 or Toll Free 1 866 9 NETPRO
Germany: 0800 180 2577
UK: 0 0800 047 0197
France: 0800 917881
Australia: 1 800 773 850
FAX: 1 602 346 3610
Email: support@netpro.com
Professional Services
NetPro service professionals leverage proven methodologies, industry best practices, and
more than 30 years of combined Microsoft management experience to help organizations reach
their business-critical goals. To help you get the most from our solutions, NetPro Professional
Services offers help with:
• Deployment: Choose QuickDeploy for a rapid return on investment or CustomDeploy
for end-to-end phased delivery of NetPro solutions based on your specific business
needs.
• Reporting & Analysis: If you’re looking for specific executive, operational, or
compliance reports, we’ll deliver business intelligence tailored to your organizational
needs.
• Optimization: Make sure you’re getting maximum value from NetPro solutions with help
for everything from optimizing your current solution to product training.
To learn more about NetPro Professional Services, please contact your NetPro sales
representative or sales@netpro.com.
Introduction
ChangeAuditor
15
Chapter 2: ChangeAuditor Client Overview
The ChangeAuditor Client connects to the ChangeAuditor database and provides access to key
configuration change information. From the ChangeAuditor Client you can perform the following
tasks:
•
view audited events for built-in reports
•
define custom search criteria and run searches
•
view search results, event details and search properties
•
preview search results
•
compare results side-by-side
•
print search result reports
•
enable/disable alerts and configure alert notifications
•
view alert history
•
enable/disable custom Active Directory object auditing
•
define custom attribute auditing
•
define a Member of Group auditing list to specify the users to be audited based on
their group membership
•
define an Exchange Mailbox auditing list to specify what directory objects’ mailbox
activities are to be audited
•
define File System Auditing templates to define files/folders for auditing
•
define Registry Auditing templates to define registry keys for auditing
•
define SQL Server Auditing templates to define SQL instances for auditing
•
define Excluded Accounts templates to define accounts to be excluded from
auditing
•
access the online knowledge base for more information about an event
•
define and assign agent configurations
•
configure repository for email notification and group expansion
•
define database maintenance
•
generate and publish reports
ChangeAuditor Client Overview
16
ChangeAuditor
This chapter describes the layout of the client as well as the commands and pages available to
perform the tasks mentioned above. For more detailed information on the tasks that can be
performed and a detailed description of these pages, see the appropriate chapter in this guide.
Starting the Client
The following conditions must be met for a client to properly connect:
• Communications are successful, meaning the Repository service is running and has a
valid SCP listening port (no firewall implications). If this condition fails, the
ChangeAuditor Client will display an error dialog stating the appropriate issue.
• The current authenticated user running the ChangeAuditor Client has the proper
credentials for accessing the ChangeAuditor Repository service. If this condition fails,
the client will display the Repository Credentials Required dialog allowing you to enter
the proper logon credentials to access the ChangeAuditor Repository.
• The current authenticated user running the ChangeAuditor Client has the proper SQL
credentials for accessing the SQL database. If this condition fails, the client will display
the Database Credentials Required dialog allowing you to enter the proper logon
credentials to access the SQL database.
• The current authenticated user is a member of either the ChangeAuditor Administrators
or ChangeAuditor Operators AD group. If this condition fails, the ChangeAuditor Client
will display an error dialog stating the appropriate issue.
To launch the ChangeAuditor Client:
1. Select Start | All Programs | NetPro | ChangeAuditor | ChangeAuditor Client.
When you launch the ChangeAuditor Client, the client will display the Connection Profile
dialog allowing you to connect to the ‘Default Connection’ profile or define/specify a
different connection profile.
A connection profile defines the connection method to be used to connect to a
ChangeAuditor Repository in trusted or untrusted forests, or to the database directly
without connecting with the ChangeAuditor Repository. See Managing Connection
Profiles on page 18 for more information on defining connection profiles.
2. Initially, select the Connect button to use the Default Connection profile.
After you have defined alternate connection profiles, select the appropriate profile from
the drop-down list and select Connect.
3. If you do not have the proper credentials required for access, the appropriate credentials
dialogs will be displayed allowing you to enter the required credentials.
4. Once connected, you will be presented with the Overview page of the ChangeAuditor
Client, which provides a real-time stream of events based on a ‘favorite’ search
definition as well as other valuable summary information about the application.
ChangeAuditor Client Overview
ChangeAuditor
17
Connection Profile Dialog
The Connection Profile dialog allows you to specify the connection profile to be used to connect
to the ChangeAuditor Repository or directly to the SQL database. This dialog is displayed when
the client is launched or when the Connect button or File | Connect menu command is
selected.
The Connection Profile dialog consists of the following controls:
Profile
If communications are successful, meaning the repository service is running and has a valid
SCP listening port, the 'Default Connection' profile will be displayed in this text box. You
can either choose to connect to the repository using the default profile or if you have other
connection profiles defined, select a different connection profile from the drop-down list.
If the ‘Default Connection’ profile is not displayed and you have not defined any connection
profiles, select the Manage button to define a new connection profile.
Auto Connect
Select (check) the Auto Connect check box to automatically connect to the currently
displayed connection profile the next time the ChangeAuditor Client is launched. When this
option is selected, this dialog will be briefly displayed when the ChangeAuditor Client is
launched, however no action is required on your part.
You can turn the Auto Connect option off (and on) using the Action | Auto Connect menu
command.
Connect
After selecting a connection profile from the list box, select the Connect button to connect
to the specified repository.
Cancel
Use the Cancel button to close the dialog without connecting to the specified repository.
Manage
Use the Manage button to display the Manage Connection Profiles dialog where you can
add new profiles, delete or edit profiles and clear the saved logon credentials.
ChangeAuditor Client Overview
18
ChangeAuditor
Managing Connection Profiles
ChangeAuditor allows you to manage ChangeAuditor in the same forest or in a different forest
from a single ChangeAuditor Client. With cross-forest support, you can connect to the
repository service or the database in many ways.
ChangeAuditor provides the ability to define connection profiles which can then be used to
connect to a ChangeAuditor Repository in trusted or untrusted forests, or to connect to the
database directly without connecting with the ChangeAuditor Repository.
To define a new connection profile
1. On the Connection Profile dialog, select the Manage button.
2. The Manage Connection Profiles dialog will be displayed. On this dialog, select the Add
button to launch the Connection wizard, which will step you through the process of
defining a new profile.
3. On the first page of the wizard, select the connection method to be used. The
connection methods available include:
• Forest - use this method to connect to a repository in a trusted forest.
• Global Catalog - use this method to connect to a repository in an untrusted
forest.
• Manual - use this method to connect to a ChangeAuditor repository server
located in a different Active Directory forest than the client.
• Database Direct - use this method to bypass the repository and connect directly
to the ChangeAuditor database. (Note: The Administration Tasks tab is not
available when using this connection method.)
4. Depending on the connection method selected, enter the requested information:
• Forest - select the SCP to be used.
• Global Catalog - select the SCP to be used.
• Manual - enter the fully-qualified domain name or IP address or the server where
the repository resides and specify the port number assigned to the repository.
Optionally, enter the realm (typically the fully-qualified domain name of the target
server.
• Database Direct - select the server (name or IP address) and SQL instance for
the ChangeAuditor database. Enter the name of the database.
5. On the last page of the wizard, review the connection profile details, name the profile
and select the Test button to test the new connection profile. Select the Finish button
to close the Connection wizard.
6. Back on the Manage Connection Profile dialog, the new connection profile will be added
to the list box. Select Save to save the new profile and close the Manage Connection
Profile dialog.
7. To use this new connection profile, select it from the drop-down list on the Connection
Profiles dialog and select the Connect button.
8. If you do not have the proper credentials required for access, the appropriate credentials
dialogs will be displayed allowing you to enter the appropriate credentials.
ChangeAuditor Client Overview
ChangeAuditor
19
Manage Connection Profiles Dialog
The Manage Connection Profiles dialog is displayed when the Manage button at the bottom of
the ChangeAuditor Connection Profile dialog is selected. From this dialog, you can add new
connection profiles, edit or delete connection profiles and clear saved logon credentials.
Connection Profiles
Displays a list of previously defined connection profiles. Selecting/highlighting a profile in
this list box will display additional details (such as the forest name, repository name, port
number, and SPN) for the selected connection profile.
Add
Use the Add button to create a new connection profile. Selecting this button will launch the
Connection wizard which steps you through the process of creating a new connection
profile.
Delete
Use the Delete button to remove the selected connection profile from the list box.
Edit
Use the Edit button to modify the selected connection profile. Selecting this button will
display the Connection wizard allowing you to modify the settings for the selected
connection profile.
Clear Creds
Use the Clear Creds button to clear the saved logon credentials allowing you to use a
different set of credentials for accessing the repository.
ChangeAuditor Client Overview
20
ChangeAuditor
Save
Use the Save button to save the new profile or the changes made to an existing profile.
Cancel
Use the Cancel button to close the dialog without saving your new/modified profile.
Connection Wizard
The Connection wizard is launched when the Add button at the bottom of the Manage
Connection Profiles dialog is selected. This wizard will step you through the process of defining
a new connection profile.
ChangeAuditor Environment Page
The ChangeAuditor Environment page is the first page of the Connection wizard. From this
page, select the connection method to be used.
Forest
Select this option to locate a ChangeAuditor service in a trusted forest. By default the local
forest will be displayed, however, you can enter the name of a different trusted forest that
has access to a DNS server and can be resolved.
NOTE: You can NOT enter an IP address in this field.
Global Catalog
Select this option to connect to a ChangeAuditor service in an untrusted forest and enter
the name or IP address of the global catalog to be used.
NOTE: You must use SQL authentication when connecting to an untrusted forest.
Manual
Select this option to manually specify the IP address of the server and the port number
assigned to the repository.
ChangeAuditor Client Overview
ChangeAuditor
21
Database Direct
Select this option to connect to the ChangeAuditor database directly without going through
the repository and enter the requested information.
NOTE: When using the Database Direct option, the Administration Tasks tab is not
available in the ChangeAuditor client.
When this option is selected, an additional page will be displayed requesting information
about the ChangeAuditor database.
ChangeAuditor Server (\SQL Instance)
Enter or use the Browse button to select the server (name or IP address) and the SQL
instance for the ChangeAuditor database.
ChangeAuditor Database
Enter the name of the ChangeAuditor database.
After selecting the connection method and entering the requested information, select Next to
continue. Depending on the option selected, additional information will be requested on
subsequent pages. Also, if different logon credentials are required for access, the appropriate
credentials dialog will be displayed allowing you to enter the appropriate credentials.
Connect to a ChangeAuditor Repository(s) Page
This page is displayed after you have selected the connection method to be used. The
information required to be entered on this page is based on the connection method selected on
the previous page.
ChangeAuditor Client Overview
22
ChangeAuditor
Forest or Global Catalog
Service Connection Point
When the Forest or Global Catalog options are selected on the previous page, this
list box displays the service connection points (SCPs) available for use. Select the SCP
to be used from this list.
Manual
Repository DNS/IP Address
If you selected the Manual option on the previous page, enter the fully-qualified domain
name of the server or IP address where the repository resides.
ChangeAuditor Client Overview
ChangeAuditor
23
Repository Kerberos Realm (optional)
If you selected the Manual option on the previous page, you can optionally use the
Realm field to specify a ChangeAuditor repository server located in a different Active
Directory forest than the client. Typically, the realm is the same as the fully-qualified
domain name of the target server. However, the realm can have a different value, so
please consult your network administrator for the correct value.
Repository Port
If you have selected the Manual option on the previous page, enter the specific port
number assigned to the repository.
After entering the requested information, select the Next button to see a preview of the new
connection profile.
Connection Profile Summary Page
The Connection Profile Summary page is the last page of the Connection wizard. From this
dialog, review the connection profile details, name your profile and/or test your new connection
profile.
Profile Summary
This portion of the page displays the settings defined on the previous pages of the wizard.
The content will depend upon the connection method selected. The information displayed
may include:
•
Global Catalog
•
Repository
•
Port
•
SPN
•
ChangeAuditor Repository server/instance
ChangeAuditor Client Overview
24
ChangeAuditor
Connection Profile Name
Enter a descriptive name to be assigned to the new connection profile.
Test Connection Profile
Select this button to test the settings defined in the connection profile.
Credentials Required Dialogs
The current authenticated user running the ChangeAuditor Client must have the proper
credentials for access or an additional dialog will be displayed allowing you to enter the proper
credentials:
• The current authenticated user has the proper credentials for accessing the
ChangeAuditor Repository service. If this condition fails, the client will display the
Repository Credentials Required dialog allowing you to enter the proper logon
credentials to access the ChangeAuditor Repository service.
• The current authenticated user has the proper SQL credentials for accessing the SQL
database. If this condition fails, the client will display the Database Credentials Required
dialog allowing you to enter the proper logon credentials to access the SQL database.
Database Credentials Required Dialog
The Database Credentials Required dialog is displayed when the current authenticated user
running the ChangeAuditor Client does not have the proper SQL credentials for accessing the
SQL database. From this dialog, enter the SQL credentials to be used to access the database.
Windows Authentication
Select this option to use Windows Integrated Authentication to access the SQL database.
When selected, enter the Windows credentials to be used to log onto the specified SQL
server.
SQL Server Authentication
Select this option to use SQL Server Authentication to access the SQL database. When
selected, enter the SQL credentials to be used to log onto the specified SQL server.
Server
This is a read-only field and displays the IP address/name of the SQL server.
ChangeAuditor Client Overview
ChangeAuditor
25
User
Enter the name of the user to be used to access the designated SQL server instance.
Password
Enter the password associated with the user account entered above.
Domain
Enter the domain name for the account to be used to access the designated SQL server
instance. (N/A for SQL Server Authentications.)
Remember Creds
Select (check) this check box to cache the logon credentials entered so they can be used
for subsequent authentications to the SQL database.
NOTE: You can clear these saved credentials by selecting the Action | Clear Saved
Logon Credentials command or selecting the Clear Creds button on the
Manage Connection Profiles dialog. Clearing the cached logon credentials on
the current workstation allows you to use a different set of credentials for
accessing the SQL database.
OK
Use the OK button to use the entered credentials to access the SQL database.
Cancel
Use the Cancel button to close the dialog without accessing the SQL database.
Repository Credentials Required Dialog
The Repository Credentials Required dialog is displayed when the current authenticated user
running the ChangeAuditor Client does not have the proper credentials for accessing the
ChangeAuditor Repository service.
From this dialog, enter the proper credentials for accessing this service.
Server
This read-only field displays the IP address/name of the server where the ChangeAuditor
Repository resides.
User
Enter the name of the user to be used to access the designated server.
ChangeAuditor Client Overview
26
ChangeAuditor
Password
Enter the password associated with the user account entered above.
Domain
Enter the domain name for the account to be used to access the designated server.
Remember Creds
Select (check) this check box to cache the logon credentials entered so they can be used
for subsequent authentications to the ChangeAuditor Repository.
NOTE: You can clear these saved credentials by selecting the Action | Clear Saved
Logon Credentials command or selecting the Clear Creds button on the
Manage Connection Profiles dialog. Clearing the cached logon credentials on
the current workstation allows you to use a different set of credentials for
accessing the repository.
OK
Use the OK button to use the entered credentials to access the ChangeAuditor Repository.
Cancel
Use the Cancel button to close the dialog without accessing the ChangeAuditor
Repository.
Client Components
Once a successful connection has been established, the client will be displayed. The
ChangeAuditor client display contains the following main components:
• Title Bar - is located across the top of the screen and displays the name of the forest
and installation name to which you are currently connected.
• Menu Bar - is located directly below the title bar and displays the menus for accessing
ChangeAuditor commands.
• Tabbed Pages - are displayed below the menu bar and are used to navigate through
ChangeAuditor. The pages that can be displayed, include:
•
The Overview page is initially displayed when the client is started and provides a
real-time stream of events based on a ‘favorite’ search definition. It also contains
statistics about the audited events and the status information for the NetPro
Compliance Agents and the ChangeAuditor Repository.
•
The Searches page is initially displayed when the client is started and contains a
list of all the searches available. From this page you can run a search, create a
customized search, and enable/disable alerting.
•
A new Search Results page is created whenever a search is run. These pages
contain a list of the events returned as a result of the selected search.
•
A new Report page is created whenever the Run Local Report right-click
command is selected for a search or built-in report. The Report page displays an
SRS rendering of the events returned as a result of the selected search or specified
built-in report.
ChangeAuditor Client Overview
ChangeAuditor
27
•
The Agent Statistics page is displayed when the View | Agent Statistics menu
command is selected. This page displays status and statistics for all installed
agents.
•
The Administration Tasks tab is displayed when the View | Administration
menu command is selected. From this page, you can perform the following tasks:
•
define and assign agent configurations
•
configure repository email notifications
•
define group expansion
•
define database maintenance activities
•
enable/disable event auditing and modify an event’s severity level or
description
•
define custom Active Directory object class auditing
•
define custom attribute auditing
•
define a Member of Group auditing list to specify the users to be audited
based on their group membership
•
define an Exchange Mailbox auditing list to specify what directory objects’
mailbox activities are to be audited
•
create File System Auditing templates to define the files/folders to be
audited
•
create Registry Auditing templates to define the registry keys to be audited
•
create SQL Server Auditing templates to specify the SQL instances to be
audited
•
create Excluded Accounts templates to define individual accounts that are
to be excluded from ChangeAuditor auditing
Menu Bar
The ChangeAuditor menus follow the same convention as standard Windows menus. That is,
commands are grouped under a menu on the menu bar. Some of these commands perform an
action immediately; others display an additional dialog or launch a wizard where you select
various options or specify additional information.
The following sections describe the commands under each of the ChangeAuditor menus.
File Menu
Use the File menu commands to connect to or disconnect from a ChangeAuditor repository,
print or export search results, or exit the ChangeAuditor Client.
Connect
Use the Connect command to display the Connection Profile dialog to select the
connection profile to be used to connect to a ChangeAuditor Repository. This command is
only available when the client is disconnected from a repository.
Disconnect (Ctrl +D)
Use the Disconnect command to disconnect from the current repository.
ChangeAuditor Client Overview
28
ChangeAuditor
Print (Ctrl + P)
Use the Print command to send the contents of the displayed page to the designated
printer. When you select this command, the native Print dialog will be displayed allowing
you to specify various print options. This command is not available when the Searches
page is being displayed.
Print to File (Ctrl + Shift + F)
Use the Print to File command to save the contents of the displayed page to either an
Excel (.xls) or Comma Delimited (.csv) file. When you select this command, the native Save
As dialog will be displayed allowing you to specify the location, file name and type of file to
be created. This command is not available when the Searches page is being displayed.
Print Preview (Ctrl + Shift + P)
Use the Print Preview command to preview the contents of the displayed page prior to
printing it. This command is not available when the Searches page is being displayed.
Page Setup (Ctrl + Shift + U)
Use the Page Setup command to define the page settings for printing. Selecting this
command will display the native Page Setup dialog allowing you to define the paper, page
orientation and margins. This command is not available when the Searches page is being
displayed.
Exit (Ctrl + Q)
Use the Exit command to close the ChangeAuditor Client.
Edit Menu
Use the Edit menu commands to manage your searches and folders on the Searches page of
the ChangeAuditor Client. These commands are only available when a search or folder is
selected on the Searches page.
Cut (Ctrl + X)
Use the Cut command to move the selected item (folder or search definition) to a different
location in the ChangeAuditor explorer on the Searches page. Once cut, this item can then
be pasted (or moved) to another location.
Copy (Ctrl + C)
Use the Copy command to copy the selected item (folder or search definition) to another
location in the ChangeAuditor explorer on the Searches page. Once copied, a copy of this
item can be pasted to another location.
Paste (Ctrl + V)
Use the Paste command to paste the contents of the clipboard (folder or search definition)
to the selected location.
Delete
Use the Delete command to remove the selected user-defined item (folder or search
definition).
ChangeAuditor Client Overview
ChangeAuditor
29
Move
Use the Move command to move the selected item (folder or search definition) to another
location in the ChangeAuditor explorer view on the Searches page. Selecting this
command will display the Select the Destination Folder dialog allowing you to select the
new location.
Action Menu
Use the Action menu commands to perform the following tasks:
Refresh (F5)
Use the Refresh command to retrieve and redisplay current data.
Autofit Columns to Contents (Ctrl + F)
Use the Autofit Columns to Contents command to resize the columns based on the
content, which will eliminate the scroll bars.
Reset Display
Use the Reset Display command to close multiple client windows and return to a single
client window.
Use Offline Knowledge Base
The Use Offline Knowledge Base command allows you to access a local version of the
ChangeAuditor Knowledge Base. A depressed icon denotes that the offline knowledge
base will be used.
NOTE: To install the offline knowledge base, use the NetPro ChangeAuditor Offline
Knowledge Base.msi file. Please refer to Chapter 3 in the ChangeAuditor
Installation Guide for more information on installing the offline knowledge base.
Show XML Tab
Use the Show XML Tab command to display the XML tab, which displays the XML
representation of a selected search criteria. This command is only available from the
Searches page and a Search Results page. The XML tab will be displayed at the end of the
Search Properties tabs along the bottom of the page.
Show SQL Tab
Use the Show SQL Tab command to display the SQL tab, which displays the SQL query
built to run a selected search. This command is only available from the Searches page and
a Search Results page. The SQL tab will be displayed at the end of the Search Properties
tabs along the bottom of the page.
Show Advanced Tab
Use the Show Advance Tab command to display the Advanced tab, which provides
options for defining the data (columns) to be retrieved from the database and displayed in
the client. This command is only available from the Searches page and a Search Results
page. The Advanced tab will be displayed at the end of the Search Properties tabs along
the bottom of the page.
ChangeAuditor Client Overview
30
ChangeAuditor
Auto Connect
Use the Auto Connect command to enable or disable the auto connect feature. When
enabled, the Connection Profile dialog will not be displayed when the client is launched.
Instead, the previously specified connection profile will automatically be used to connect to
the repository.
Clear Saved Logon Credentials
Use the Clear Saved Logon Credentials command to clear the cached logon credentials
used to access the SQL database. When the Remember Password credentials check box
is checked on the ChangeAuditor Login dialog, the logon credentials used are cached on
the current workstation and used for subsequent authentication to the SQL database. This
command will clear the cached credentials on the current workstation allowing you to use
a different set of credentials for accessing the SQL database.
View Menu
Use the View menu commands to specify the ChangeAuditor Client page to be displayed.
Overview (F9)
Use the Overview command to display the Overview page, which displays the results of
your favorite search as well as an overview of the following information:
•
top agent activity
•
count of events by event class, facility, location, severity, user or subsystems
•
agent status for the entire enterprise or individual domain
•
repository status for the entire enterprise or a single domain
•
database maintenance schedule status
•
alert history counts
Searches (F10)
Use the Searches command to display the Searches page, from which you can run
searches, define new searches and enable alerting.
Agent Statistics (F11)
Use the Agent Statistics command to display the Agent Statistics page which provides a
global view of all your agents, providing you with their current status and statistics.
Administration (F12)
Use the Administration command to display the Administration Tasks tab which provides
a single location where you can perform various administrative tasks related to configuring
ChangeAuditor and customizing the auditing process.
Close All Windows
Use the Close All Windows command to close all open windows.
List of Open Windows
The remainder of this menu lists all of the windows that are currently opened in the
ChangeAuditor Client. A check mark to the left of a window indicates the window that is
currently active.
ChangeAuditor Client Overview
ChangeAuditor
31
Help Menu
Use the Help menu commands to display the online help or general information about this
release of ChangeAuditor.
About
Use the About command to display the About ChangeAuditor dialog which contains
copyright, NetPro contact information, the current version and licensing information.
Contents (F1)
Use the Contents command to display the contents and initial screen of the ChangeAuditor
online help.
Overview Page
The Overview page is initially displayed when the ChangeAuditor Client successfully connects
to a repository. The goal of the Overview page is to provide you with instant access to valuable
information about the application. Therefore, this page provides customized views to highlight
application details based on your preference. For example, you can display Agent Status, Top
Agent Activity, Repository Status, Event Counts, Database Maintenance Schedule Summary
or Alert History Counts on the various panes on the Overview page.
Additionally, you can view a real-time stream of events based on a ‘favorite’ search definition.
By default, the top pane will use the ChangeAuditor Real-Time search definition and display all
events (up to 10,000 records) generated in the last 20 minutes. You can, however, define a
different ‘favorite’ search and the events captured from that search will then be displayed
across the top of the Overview page.
ChangeAuditor Client Overview
32
ChangeAuditor
For a detailed description of the Overview page, please refer to Chapter 3: ChangeAuditor
Overview and Agent Statistics Pages on page 49
Searches Page
The Searches page is the other page that is initially displayed when the ChangeAuditor Client
is launched. This page displays all of your search definitions, both private and shared, and the
built-in reports provided with ChangeAuditor.
From this page, you can perform the following tasks:
• view a list of available search definitions
• create new custom searches
• run searches
• set a search as your favorite
• enable/disable alerts
• view alert history
• generate and publish reports
For a detailed description of the Searches page and the tasks that can be performed from this
page, please refer to Chapter 4: Searches and Alerts on page 61. For information on generating
the built-in SRS reports provided with ChangeAuditor, please refer to Chapter 15: Generating
and Publishing Reports on page 247.
ChangeAuditor Client Overview
ChangeAuditor
33
Search Results Page
A new results page is created whenever a search is run. When a search is run, this page
displays detailed information about the audited events found as a result of the search.
From this page, you can perform the following tasks:
• view search results
• view event details or search properties
• preview results based on changes made to a search
• compare results side-by-side
• print search results
For a detailed description of a Search Results page and the tasks that can be performed from
this page, please refer to Chapter 5: Search Results on page 135.
ChangeAuditor Client Overview
34
ChangeAuditor
Report Page
A new report page is created whenever you use the Run Local Report right-click command on
a search or built-in report definition. A report page displays an SRS rendering of the audited
events returned as a result of the selected search or built-in report. From this page you can
scroll through the report, print the report, or export the report.
NOTE: You do NOT need Microsoft SQL Server Reporting Services (SRS) installed to
generate these local reports through the ChangeAuditor Client.
For more information on generating reports, please refer to Chapter 15: Generating and
Publishing Reports on page 247.
ChangeAuditor Client Overview
ChangeAuditor
35
Agent Statistics Page
The Agent Statistics page provides a global view of all installed ChangeAuditor Agents (a.k.a,
NetPro Compliance Agents), including the current status of the agents and statistics for the
ChangeAuditor component of these agents. If you have high security agents installed, you can
also stop, start and restart these agents from this page.
For a detailed description of the Agent Statistics page, please refer to Agent Statistics Page on
page 57.
Administration Tasks Tab
On the Administration Tasks tab, use the navigation pane in the left-hand pane to select the
administrative task to be performed. Based on your selection, the appropriate information page
will be displayed allowing you to perform the selected task.
ChangeAuditor Client Overview
36
ChangeAuditor
From the Administration Tasks tab you can perform the following administrative tasks:
• Define and assign agent configurations (Configuration | Agents)
• Configure repository email notifications (Configuration | Repository)
• Define group expansion (Configuration | Repository)
• Define database maintenance activities (Configuration | Purge/Archive)
• Enable/disable event auditing and modify an event's severity level or description
(Auditing | Audit Events)
• Define custom Active Directory object class auditing (Auditing | Active Directory)
• Define custom attribute auditing (Auditing | Attributes)
• Define a Member of Group auditing list to specify the users to be audited based on their
group membership (Auditing | Member of Group)
• Define an Exchange Mailbox auditing list to specify what directory objects’ mailbox
activities are to be audited (Auditing | Exchange Mailbox)
• Create File System Auditing templates to define the files/folders to be audited (Auditing
| File System)
• Create Registry Auditing templates to define the registry changes to be audited (Auditing
| Registry)
• Create SQL Server Auditing templates to define the SQL instances to be audited
(Auditing | SQL Server)
• Create Excluded Account templates to define accounts to be excluded from
ChangeAuditor auditing (Exclusions | Account)
For a detailed description of the various Administration pages and the tasks that can be
performed from this tab, please refer to the following chapters:
• Chapter 6: Custom Active Directory Auditing on page 153
• Chapter 8: File System Auditing on page 171
• Chapter 9: Registry Auditing on page 187
• Chapter 10: SQL Server Auditing on page 197
• Chapter 11: Account Exclusion on page 207
• Chapter 12: Agent Configurations on page 217
• Chapter 13: Repository Configuration on page 229
• Chapter 14: Database Maintenance on page 239
ChangeAuditor Client Overview
ChangeAuditor
37
Alert History Page
The Alert History page can be accessed using the Alert | History right-click menu command
when an alert is selected on the Searches page. This page displays details regarding the
events that triggered the selected alert, including the time the alert was triggered, the type of
alert generated (e.g., WMI, SNMP, or SMTP), if the alert was successfully sent, a description
of the event that triggered the alert, and if applicable, an error message stating the alert was
not sent.
ChangeAuditor Client Overview
38
ChangeAuditor
Using the Object Picker
Throughout the ChangeAuditor client, you will encounter the object picker which allows you to
locate and select a directory object from your environment. This object picker will appear in
either a stand alone dialog or as part of a wizard and consists of the following three tabbed
pages:
• Browse - use the Browse page to select a directory object from a hierarchical view of
your environment
• Search - use the Search page to search your environment to locate and select a
directory object
• Options - use the last page to view or modify various search options or the global
catalog to be used to retrieve directory objects
Browse Page
The Browse page will initially be displayed and displays a hierarchical view of the objects in
your environment.
Find
Use the Find field to select the type of directory objects to be displayed. You can either type
in an entry or use the drop-down menu to select the class. You can type in multiple classes,
separated by either a period or semi-colon. Note that when you type in an entry, you must
use the Apply Filter button to display the objects.
NOTE: Most of the time, this field will be automatically filled in with the appropriate entry.
Thus, when this field is grayed out, this is a read only field which cannot be
changed.
ChangeAuditor Client Overview
ChangeAuditor
39
Explorer View
The explorer view, located in the left-hand pane, displays a hierarchal view of the
containers in your environment. Single-click on the expansion state box to the left of a
container or double-click a container to expand the view to display subordinate objects.
When you select a container in this pane, the object list (right-hand pane) will be populated
with the objects that belong to the selected container.
Right-clicking the root domain in the explorer view will display a drop-down menu listing any
peer domains. To view a different domain’s objects, select the desired domain from those
listed.
Use the F5 button to force a refresh of the contents of this pane.
Object List
The object list, located in the right-hand pane, displays the objects that belong to the
container selected in the explorer view. To select an object, click on the object to highlight
it and use the Add button to add it to the Selected Objects list at the bottom of the dialog.
Add
Use the Add button to add the selected object to the Selected Objects list. The Add button
will only be activated when you have selected an object of the designated type (based on
the Find field).
Remove
Use the Remove button to remove an Active Directory object from the Selected Objects
list. Select/highlight the object to be removed and select the Remove button.
Selected Objects List
The Selected Objects list displays the objects selected. This list is used for both the Browse
and Search pages and will contain the objects selected from either of these pages. Once
you have added objects to this list, use the Select button to save your selection and close
the dialog.
ChangeAuditor Client Overview
40
ChangeAuditor
Search Page
Use the Search page to search your environment to locate the desired object(s).
From this page, use the controls at the top of the page to search your environment to locate the
desired object(s). Select the Search button to display the information requested.
Find
Use the Find field to select the type of directory objects to be displayed. You can either type
in an entry or use the drop-down menu to select the class. You can type in multiple classes,
separated by either a period or semi-colon. Note that when you type in an entry, you must
use the Search button to display the objects.
NOTE: Most of the time, this field will be automatically filled in with the appropriate entry.
Thus, when this field is grayed out, this is a read only field which cannot be
changed.
Name
Use the Name field to specify a search expression to be used to search Active Directory to
locate a particular object.
ANR
The ANR check box is checked by default indicating that Ambiguous Name Resolution
(ANR) is the search algorithm used which allows you to enter limited input (partial data) to
find multiple objects in your network.
ChangeAuditor Client Overview
ChangeAuditor
41
When the ANR check box is checked, use one of the following methods to enter your
search expression:
•
Enter a partial string to return exact matches or a list of possible matches. For
example, entering ‘Admin’ will return objects that contain the names ‘Admin’,
‘Admins’, ‘Administrator’, Administrators’, etc.
•
Enter a string preceded by the equal sign (=Admins) to return only exact matches.
For example, entering ‘=Admin’ will return only those objects containing the name
‘Admin’.
By default, ANR will search the following attribute fields in Active Directory:
•
First Name (GivenName)
•
Last Name (Surname)
•
Display Name (displayName)
•
LegacyExchangeDN
•
msExchMailNickname
•
Relative Discontinued Name of the object (RDN)
•
Office (physicalDeliveryOfficeName)
•
Email address (proxyAddress)
•
Security Account Manager account (sAMAccountName)
When the ANR check box is not checked, the search expression entered will be used to
search only the Display Name of directory objects to locate a particular object. To use this
search mechanism, enter a string of characters and the wildcard (*) character as described
below.
For example, n* will return objects that start with the letter ‘n’; *n will return objects that end
in the letter ‘n’; and *n* will return objects that contain the letter ‘n’ within their Display Name.
Search
After entering a search expression, use the Search button to initiate the search and return
the results of the search.
Object List
The object list displays the objects found as a result of your search. To select an object,
click on the object to highlight it and use the Add button to add it to the Selected Objects list.
Add
Use the Add button to add the selected Active Directory object to the Selected Objects list.
Remove
Use the Remove button to remove an Active Directory object from the Selected Objects
list. Select/highlight the object to be removed and select the Remove button.
Selected Objects List
The Selected Objects list displays the objects selected. This list is used for both the Browse
and Search pages and will contain any objects selected on both pages. Once you have
added objects to this list, use the Select button to save your selection and close the dialog.
ChangeAuditor Client Overview
42
ChangeAuditor
Options Page
Use the Options page to view or modify the search options or global catalog to be used to
retrieve directory objects.
Search Limit
The Search Limit field specifies the maximum number of records to be returned for any
given search. The default is 2000 records. Minimum value is 100 and the maximum value
is 9999.
No Search Limit
Select (check) the No Search Limit check box to allow an unlimited number of records
to be returned.
Page Size
The Page Size field displays the maximum number of records to be returned per LDAP
polling cycle. Care should be taken when modifying this value, because it could impact the
performance of your searches.
Global Catalog
This field displays the name of the global catalog (GC) being used to retrieve directory
objects.
Select New GC
Select this button to display the Global Catalog dialog where you can select the GC and
specify the credentials to be used.
ChangeAuditor Client Overview
ChangeAuditor
43
Global Catalog Dialog
ChangeAuditor automatically selects the global catalog (GC) to be used to retrieve directory
objects. However, if you use multiple GCs in your environment; you can select a specific GC to
retrieve directory objects. Use the Select New GC button from the Options page of the Select
One or More Directory Objects dialog to display the Global Catalog dialog where you can
specify the GC to be used.
On this dialog, enter the requested information as described below:
Server
Use the Server drop-down menu to select the GC to be used to retrieve directory objects.
User
Enter the name of a user that can access the specified server and Active Directory objects
across the forest.
Password
Enter the password associated with the user specified above.
Domain
Enter the domain where the user id entered above resides.
Save Selection
Select (check) the Save Selection check box to use the selected GC instead of having
ChangeAuditor automatically select one in future search sessions.
After specifying the GC and credentials to be used, select the OK button to save your selection
and return to the Options page. The specified GC and credentials will now be in use. Back on
the Select One or More Directory Objects dialog, use the Select button to return to the
originating dialog.
ChangeAuditor Client Overview
44
ChangeAuditor
Customizing Table Content
The contents of the various tables (data grids) displayed in the ChangeAuditor client can be
sorted, rearranged and grouped using the simple utilities provided in ChangeAuditor.
Sorting
An arrow in the column heading identifies the sort criteria and order, ascending or descending,
being used to display information.
To change the sort criteria, click on another column heading in the table. The sort order will be
in ascending order, but can be changed to descending order by clicking on the heading a
second time. To specify a secondary sort order, Shift + click in the heading of the column to be
used for the secondary sort order.
Resizing or Moving Columns
Columns can also be resized or moved within the table. To change the size of a column, place
your cursor on the boundary between column headings (your cursor will change to a doublearrow), click and hold the left mouse button dragging the column boundary to the desired size.
To change the order of the columns in the table, use the left mouse button to click the heading
to be moved (the column heading will pop off the table) and drag that column heading to the
desired location in the table (red arrows will indicate where you are placing the selected
column).
Grouping Data
In addition, you can group the displayed information by selecting a column heading and
dragging it to the space above the table. That is, use the left mouse button to click the heading
and drag that column heading to the space above the table.
ChangeAuditor Client Overview
ChangeAuditor
45
This will collapse the table and display the groups that can be expanded to view the detailed
information that applies to that group, as shown below.
To remove a grouping, select the heading and drag it back down into the table area or rightclick a group heading (in area above the grid) and select one of the remove commands.
Adding or Removing Columns
ChangeAuditor displays a default set of columns for the different pages displayed. You can
however display additional data or hide a particular column. The Field Chooser dialog is
displayed when you select the
button to the far left of the column headings.
ChangeAuditor Client Overview
46
ChangeAuditor
This dialog displays all of the data (columns) available for display. From this dialog, select
(check) the columns to be displayed and uncheck the columns you do not want displayed.
NOTE: For each individual search, you can select the data to be retrieved and displayed in
the client using the Advanced search properties tab. From this tab, you can also define
the column order and sort order for the displayed data.
Filtering Data
Traditional search capabilities provide the first phase of drilling down on details you may be
seeking, but locating individual events typically requires more granular search capabilities and
additional steps. ChangeAuditor provides advanced filtering options that allow you to modify the
results of a search without changing the original search. With this new capability, filtering can
be performed on one or more columns of a result, ultimately reducing the need to build the
same search multiple times with minor customizations.
Throughout the client, you will see a row of cells under the headings row in each of the data
grids. These cells provide data filtering options which allow you to filter and sort the data
displayed.
Click here to filter data...
Clicking in one of these cells allows you to enter search criteria to be used to filter the data
displayed. In the cell, enter the word or string of characters to be located. By default,
ChangeAuditor will use either the ‘starts with’ or ‘contains’ expression to filter the data and
the filtering will take place as you type your entry. However, if you click on the search criteria
button (
in diagram above), you can select one of the following expressions:
•
Starts with (default)
•
Contains
•
Ends with
•
Does not start with
•
Does not contain
•
Does not match
•
Like
•
Not Like
•
Equals
•
Does not Equal
•
Less Than
•
Less Than or Equal to
•
Greater Than
•
Greater Than or Equal to
•
Matches Regular Expressions
ChangeAuditor Client Overview
ChangeAuditor
47
In addition, when you place your cursor in a data filtering cell, a drop down arrow will be
added to the right of this cell which displays all of the items available for selection. Selecting
an item from this drop-down list will display entries for the selected item.
To remove the filtering and return to the original data grid, click on the Remove Filter button
(
) to the far left of the cells. To remove the filtering of an individual cell, use the Remove
Filter button to the right of that cell.
Filtering Data in Expanded Views
In addition to the standard data filtering feature present throughout the client, the expandable
views of the auditing pages on the Administration Tasks tab provide an additional layer of data
filtering. That is, data filtering cells are available under both the headings in the collapsed view
(topmost) and the expanded view.
The additional data filtering cells that are available in the topmost heading on these auditing
pages include:
• Active Directory Auditing page - Object Class
• File System Auditing page - File Path
• Registry Auditing page - Path
• SQL Server Auditing page - Instance
The cells (listed above) in the main (topmost) heading are used for filtering the specified data
(object class, file path, registry path or SQL instance) regardless of the object or template to
which they belong. For example:
• On the Active Directory Auditing page, as you enter characters into the Object Class
field, the client will redisplay only the object classes that ‘start with’ the character(s)
entered, regardless of the object.
• On the File System Auditing page, as you enter characters into the File Path field, the
client will redisplay only the file paths that ‘contain’ the character(s) entered, regardless
of the File System template to which they belong.
• On the Registry Auditing page, as you enter characters into the Path field, the client will
redisplay only the paths that ‘contain’ the character(s) entered, regardless of the
Registry template to which they belong.
• On the SQL Auditing page, as you enter characters into the Instance field, the client will
redisplay only the SQL instances that ‘contain’ the character(s) entered, regardless of
the SQL template to which they belong.
ChangeAuditor Client Overview
ChangeAuditor
49
Chapter 3: ChangeAuditor Overview and
Agent Statistics Pages
The Overview and the Agent Statistics pages provide access to valuable information about
ChangeAuditor and the agents that are capturing the audited events.
Overview Page
The Overview page is initially displayed when the ChangeAuditor Client successfully connects
to a repository. The Overview page provides you with instant access to valuable information
about the application.
ChangeAuditor Overview and Agent Statistics Pages
50
ChangeAuditor
The Overview Page contains the following main components:
Tool Bar
The tool bar buttons displayed across the top of the Overview page allows you to specify
what is displayed in the bottom pane (Overviews or Event Details) and to print the contents
of this page.
My Favorite Search Grid
The top pane displays a real-time view of events generated based on a user-defined
‘favorite’ search. By default, ChangeAuditor will use the ChangeAuditor Real-Time search
definition and this pane will display all events captured for the last 20 minutes.
Overview Panes
In the bottom pane, ChangeAuditor provides the following overview views which highlight
application details based on your preference:
•
Top Agent Activity
•
Count of Events
•
Agent Status
•
Repository Status
•
Database Maintenance
•
Alert History
Event Details Pane
The Event Details pane is displayed across the bottom of the Overview page, replacing the
Overview panes when the Event Details tool bar button is selected or you double-click an
event in the My Favorite Search grid. This pane displays additional details about the event
selected in the My Favorite Search grid.
The information on this page is captured when the ChangeAuditor Client is started. To refresh
all of the information displayed on the Overview page, use the Refresh button, F5 or the Action
| Refresh menu command. Also, when you select a different pane for display, the latest
information for the 'new' pane will be displayed.
Tool Bar
Use the tool bar buttons on the Overview page to perform the following tasks:
Overviews
Use the Overviews button to display the Overview panes across the bottom of the
Overview page.
Event Details
Use the Event Details button to display the Event Details pane across the bottom of the
Overview page; replacing the Overview panes. The Event Details pane displays additional
information about the event selected in the My Favorite Search grid.
Print
Use the Print button to send the contents of the Overview page to a designated printer.
ChangeAuditor Overview and Agent Statistics Pages
ChangeAuditor
51
Print | Print to File
Expand the Print button and select the Print to File command to save the contents of the
Overview page to an Excel (.xls) or Comma Delimited (.csv) file. This command will display
the native Save As dialog allowing you to specify the file name, location and file type to be
saved.
Print | Print Preview
Expand the Print button and select the Print Preview command to display the print layout
of the selected page prior to printing it.
Print | Page Setup
Expand the Print button and select the Page Setup command to define the page settings
for printing. Selecting this command will display the native Page Setup dialog allowing you
to define the paper, page orientation and margins.
My Favorite Search Grid
The top pane displays the change events as they are captured for your favorite search. By
default, this pane displays all events captured in the last 20 minutes, using the ChangeAuditor
Real-Time search definition.
To define a different 'favorite' search, open the Searches page, select/highlight a search, rightclick and select the Set As My Favorite menu command. Selecting F5 or the Refresh button
on the Overview page, will then display the results of that search in this top pane of the
Overview page.
My Favorite Search Grid
As events are returned, they will be added to this search results grid, providing you with a
real-time view of what’s happening in your environment. By default, the events are sorted
by date, with the latest event being added to the top of the list. You can, however, use the
column controls to select a different sort criteria for the information displayed. For more
information on customizing the content of this table, please refer to Customizing Table
Content on page 44.
Double-clicking an event in this grid will display the Event Details pane across the bottom
of the page, which contains additional details regarding the event selected in the search
results grid. The layout and content for the My Favorite Search grid is the same as that used
on the Search Results page. For a description of the search results grid and the Event
Details pane, please refer to Search Results Grid on page 143 and Event Details Pane on
page 147.
ChangeAuditor Overview and Agent Statistics Pages
52
ChangeAuditor
Overview Panes
The Overview panes across the bottom of the Overview page can be customized based on your
preference to display a variety of overview information about ChangeAuditor. By default, the
Top Agent Activity and Agent Status panes are displayed across the bottom of the Overview
page. However, each of these panes has an arrow button on its heading that can be used to
display the different overview information that is available.
Top Agent Activity
The Top Agent Activity pane displays the top most active ChangeAuditor Agents in your
environment, based on the date range specified. That is, the agents that have forwarded the
overall most events to the ChangeAuditor Repository. If this pane is not displayed, select the
arrow on the heading of one of the lower panes and select Top Agent Activity to display this
pane.
By default, the agent activity on both DCs and Member Servers for the past month will be
displayed. You can, however, use the controls located at the top of this pane to specify the
types of servers to be included as well as the date range.
All | DC | Member Servers
By default all domain controllers and member servers will be included. However, you can
use this drop-down menu to specify the types of servers to be included:
•
All - both domain controllers and member servers (default)
•
DCs - only domain controllers
•
Member Servers - only member servers
ChangeAuditor Overview and Agent Statistics Pages
ChangeAuditor
53
Show Uninstalled Agents
This check is selected by default and will include all uninstalled agents in the count.
Last <nn> <interval>
By default, data will be collected for the last month. However, you can use these controls
to specify a different time interval for collecting this data.
Where: <nn> is a positive numeric value and <interval> is one of the following:
•
Minutes
•
Hours
•
Days
•
Weeks
•
Months (default)
•
Quarters
•
Years
Count of Events by ...
The event counts pane displays a table listing the total number of audited events captured by
ChangeAuditor, sorted by the selected category. Select the arrow on the heading of one of the
lower panes and select Count of Events to display this pane. When selecting this pane for
display, choose from the following categories:
• Event Class
• Facility
• Location
• Severity
• User
• Subsystem
Examples of some of these panes are illustrated below:
Event Class
ChangeAuditor Overview and Agent Statistics Pages
54
ChangeAuditor
Location
Subsystem | Active Directory | Attribute
Subsystem | Service
ChangeAuditor Overview and Agent Statistics Pages
ChangeAuditor
55
Agent Status
The Agent Status pane of the Overview Page displays a pie chart depicting the current status
of all NetPro Compliance Agents in either the entire enterprise or in a selected domain. Select
the arrow on the heading of one of the lower panes and select Agent Status to display this
pane.
Show Uninstalled Agents
This check box is selected by default and will include uninstalled agents in the pie chart.
When this check box is not checked, the pie chart will include only active and inactive
agents.
Double-clicking the pie chart will display the Agent Statistics page which provides a global view
of all NetPro Compliance Agents, including their current status.
Repository Status
The Repository Status pane displays a pie chart depicting the current status of all the
ChangeAuditor repositories installed in either the entire enterprise or in a selected domain.
Select the arrow on the heading of one of the lower panes and select Repository Status to
display this pane.
Double-clicking the pie chart will display the Agent Statistics page which provides a global view
of all installed NetPro Compliance Agents, including their current status.
ChangeAuditor Overview and Agent Statistics Pages
56
ChangeAuditor
Database Maintenance
The Database Maintenance pane displays the overview information regarding the database
maintenance schedule defined. Select the arrow on the heading of one of the lower panes and
select Database Maintenance to display this pane.
Alert History
The Alert History pane displays the number of ChangeAuditor alerts that were successfully sent
or failed to send. Select the arrow on the heading of one of the lower panes and select Alert
History to display this pane.
This information can display just the sent and failed counts for WMI, SNMP and SMTP alerts
or it can also include the query name.
Event Details Pane
The Event Details pane is displayed across the bottom of this page, replacing the Overview
panes, when the Event Details tool bar button is selected or when you double-click an event
in the My Favorite Search grid. This pane provides additional details about the event selected
in the My Favorite Search grid at the top of the page. The information displayed is the same as
that displayed in the Event Details pane at the bottom of a Search Results page. Please refer
to Event Details Pane on page 147 for a description of the details that this pane may contain.
ChangeAuditor Overview and Agent Statistics Pages
ChangeAuditor
57
Agent Statistics Page
Use the View | Agent Statistics menu command (or F11) to display the Agent Statistics page,
which provides a global view of all installed NetPro Compliance Agents, including the current
status of the agents and statistics for the ChangeAuditor component of these agents.
The Agent Statistics page consists of the following main components:
• Tool Bar
• Agent Statistics Grid
Tool Bar
Use the tool bar across the top of this page to perform the following functions:
Start Agent
Use the Start Agent button to start a stopped NetPro Compliance agent. This button is only
available when an agent is in an ‘inactive’ state.
Stop Agent
Use the Stop Agent button to stop a NetPro Compliance agent. This button is only
available when an agent is in an ‘active’ state.
Restart Agent
Use the Restart Agent button to stop and then restart a NetPro Compliance agent. This
button is only available when an agent is in an ‘active’ state.
Set Agent Uninstalled
Use the Set Agent Uninstalled button to flag the selected NetPro Compliance agent as
‘uninstalled’. This button is only available when an agent is in an ‘inactive’ state.
Hide|Show Uninstalled Agents
Use the Hide Uninstalled Agents button to remove the uninstalled agents from the Agent
Statistics list. Use the Show Uninstalled Agents button to include the uninstalled agents
in the Agent Statistics list.
Print
Use the Print button to send the contents of the Agent Statistics page to a designated
printer.
ChangeAuditor Overview and Agent Statistics Pages
58
ChangeAuditor
Print | Print to File
Expand the Print button and select the Print to File command to save the contents of the
Agent Statistics page to an Excel (.xls) or Comma Delimited (.csv) file. This command will
display the native Save As dialog allowing you to specify the file name, location and file type
to be saved.
Print | Print Preview
Expand the Print button and select the Print Preview command to display the print layout
of the selected page prior to printing it.
Print | Page Setup
Expand the Print button and select the Page Setup command to define the page settings
for printing. Selecting this command will display the native Page Setup dialog allowing you
to define the paper, page orientation and margins.
Agent Statistics Grid
By default, the Agent Statistics grid contains the following information for each agent:
NOTE: All times displayed are local times.
Load
This field displays the load status of the agent service in regards to processing audited
events. Valid entries are:
•
Normal - agent service is running and processing events as expected
•
Medium - agent service has more than 100 events waiting
•
Critical - agent service has reached a critical load and events may be missed
Agent
This field displays the NetBIOS name of the server where the NetPro Compliance Agent
resides.
Domain
This field displays the name of the domain where the agent is located.
Status
This field displays the current status of the agent: active, inactive or uninstalled.
Uptime
This field displays how long the agent has been running.
Events Today
This field displays the number of audited events encountered on the agent since 12:00 a.m.
of the current day (based on the relative repository computer's time).
Version
This field displays the current NetPro Compliance Agent version installed.
Last Update
This field displays the date and time when the agent configuration was last updated.
ChangeAuditor Overview and Agent Statistics Pages
ChangeAuditor
59
Configuration
This field displays the agent configuration assigned to the agent.
In addition, the following fields can be displayed using the Field Chooser button
located to
the far left of the column headings:
• Agent FQDN - the fully qualified domain name of the agent.
• DB Size - the size of the agent database, in kilobytes.
• Events Last 24 Hours - the number of audited events encountered on the agent during
the past 24 hours from when the dialog is initially opened during the current client
session of when the Refresh button is selected.
• Events Total - the number of audited events encountered since the agent was started.
• Events Yesterday - the number of audited events encountered between 12:00 a.m.
yesterday and 12:00 a.m. of the current day (based on the relative repository computer's
time).
• Exclude Account - indicates whether an Excluded Account template has been added
to the agent configuration.
• File System - indicates whether custom file system auditing has been defined for the
agent (i.e., a File System Auditing template has been added to the agent configuration).
• High Security - indicates whether the agent is a High Security Agent using the antitampering technology.
• Last Event Sent - the date and time when the repository last received an audited event
from the agent.
• Registry - indicates whether custom registry auditing has been defined for the agent
(i.e., a Registry Auditing template has been added to the agent configuration).
• Repository - the name of the ChangeAuditor repository that the agent is connected
through.
• SQL - indicates whether custom SQL Server auditing has been defined for the agent
(i.e., a SQL Server Auditing template has been added to the agent configuration).
• Startup Time - the date and time when the agent was last initialized.
• Type - the type of server (member server or domain controller)
• Unsent Events - the number of audited events that have not yet been sent to the
repository.
Right-clicking an entry in the Agent Statistics grid will display the following commands:
Start Agent
Use the Start Agent command to start a stopped NetPro Compliance agent. This
command is only available when an agent is in an ‘inactive’ state.
Stop Agent
Use the Stop Agent command to stop a NetPro Compliance agent. This command is only
available when an agent is in an ‘active’ state.
Restart Agent
Use the Restart Agent command to stop and then restart a NetPro Compliance agent. This
command is only available when an agent is in an ‘active’ state.
ChangeAuditor Overview and Agent Statistics Pages
60
ChangeAuditor
Set Agent Uninstalled
Use the Set Agent Uninstalled command to flag the selected NetPro Compliance agent
as ‘uninstalled’. This command is only available when an agent is in an ‘inactive’ state.
ChangeAuditor Overview and Agent Statistics Pages
ChangeAuditor
61
Chapter 4: Searches and Alerts
The Searches page is one of the pages initially displayed when the ChangeAuditor Client is
launched. From this page, you can perform the following tasks:
• view a list of available searches
• create new custom searches
• run searches
• set a search as your favorite
• enable/disable alerts
• view alert history
• generate and publish reports
The first part of this chapter steps you through the procedures mentioned above which can be
performed from the Searches page (except for generating and publishing reports, please refer
to Chapter 15: Generating and Publishing Reports on page 247).
The latter part of the chapter provides a detailed description of the Searches page, its
components, commands that can be accessed, as well as additional dialogs that can be
accessed through this page.
Searches and Alerts
62
ChangeAuditor
Viewing a List of Available Searches
All search definitions, private or shared, custom or built-in, are listed on the Searches page of
the ChangeAuditor Client. Click on the Searches tab, select the F10 function key, or use the
View | Searches menu command to open the Searches page.
1. To view the list of the search definitions that are only available to you, select the Private
folder (or a subordinate folder created under the Private folder) in the explorer view of
the Searches page. The right-hand pane will be populated with a list of the search
definitions that are stored in the selected folder.
2. To view the list of search definitions that are available to all ChangeAuditor users, select
the Shared folder (or subordinate folder created under the Shared folder) in the
explorer view of the Searches page. The right-hand pane will be populated with a list of
the search definitions that are stored in the selected folder.
3. To view the list of built-in reports (those provided with ChangeAuditor), expand the
Built-in Reports folder under the Shared folder in the explorer view of the Searches
page. Select a folder under the Built-in Reports folder to view the list of search
definitions that are stored in the selected folder.
4. Double-clicking a search in the right-hand pane will run the search and open a new
Search Results page.
5. Right-clicking a search will display a context menu containing actions that can be taken
against the selected search.
Creating New Custom Searches
ChangeAuditor enables you to create custom search definitions to search for the configuration
changes that need to be tracked in your environment. You will use the search properties tabs
across the bottom of the Searches page to define new custom searches.
To define a new search:
1. Click on the Searches tab, select the F10 function key, or use the View | Searches
menu command to open the Searches page.
2. In the explorer view (left-hand pane), expand and select/highlight the folder where you
want to save your search. Selecting the Private folder will create a search that only you
can run and view, whereas selecting the Shared folder will create a search which can
be run and viewed by all ChangeAuditor users.
3. Select the New tool bar button at the top of the Searches page (or right-click a folder
and select the New | New Search menu command) to display and activate the Search
Properties tabs.
4. On the Search Properties tabs, enter the search criteria to be used:
• Info - enter a name and description for the search
• Who - allows you to define the users, computers and groups to be included (or
excluded) *
• What - allows you to define "what" (e.g., event class, subsystem, etc.) is to be
included (or excluded)
Searches and Alerts
ChangeAuditor
63
• Where - allows you to define the agent, domain and/or site where the search is to
be conducted (or not conducted) *
• When - allows you to define a date/time range to limit your search *
• Why - allows you to search the comments for a specific word or string of
characters *
• Alert - allows you to enable as well as define how and where to dispatch alerts
when the selected search criteria is met
* Or you can check the Runtime Prompt check box on these tabs to prompt for the
criteria whenever the search is run.
5. Once you have defined the search criteria to be used, you can either save the search
definition or run the search.
• To save and run the search, select the Run tool bar button from one of the Search
Properties tabs.
• To save the search definition without running it, select the Save tool bar button
from one of the Search Properties tabs.
Running Searches
To run a previously saved search or built-in report:
1. Click on the Searches tab, select the F10 function key, or use the View | Searches
menu command to open the Searches page.
2. Expand and select the appropriate folder in the explorer view to display the list of search
definitions stored in the selected folder.
3. Use one of the following methods to run a search:
•
Double-click the search definition
•
Right-click the search definition and select the Run menu command
•
Select/highlight the search definition and select the Run tool bar button at the top
of the Searches page.
4. A new Search Results page will be displayed populated with the audited events that met
the search criteria defined in the selected search definition.
To run a newly created search:
1. Open the Searches page (click on the Searches tab, select the F10 function key, or use
the View | Searches menu command).
2. Expand and select the appropriate folder in the explorer view where you want to store
the new search definition.
3. Select the New | New Search tool bar button or right-click command to display and
activate the Search Properties tabs across the bottom of the page.
4. On the Search Properties tabs, enter the search criteria to be used.
5. Once finished entering the search criteria, use the Run tool bar button from one of the
Search Properties tabs.
Searches and Alerts
64
ChangeAuditor
6. A new Search Results page will be displayed populated with the audited events that met
the search criteria entered.
Running a Quick Search
The quick search feature allows you to run a search immediately without saving the search
definition. However, if you want to save the search definition, you can use the Save As tool bar
button before you run the search.
To run a quick search:
1. Open the Searches page (click Searches tab, select the F10 function key or select View
| Searches menu command).
2. Select the Quick Search Folder node in the explorer view to display the Quick Search
entry in the Searches list (right-hand pane).
3. You can either run the default Quick Search which will retrieve all audited events for the
last seven days or define the search criteria to be used.
• To run the default search, double-click the Quick Search entry in the Searches
list or select the Run right-click command or tool bar button.
• To define the search criteria, select the Quick Search definition to enable the
Search Properties tabs. On the Search Properties tabs ,enter the search criteria
to be used. Once finished entering the search criteria, use the Run tool bar button
from one of the Search Properties tabs.
4. A new search results tab, titled Quick Search, will be displayed populated with the
audited events that met the search criteria defined.
Setting a Favorite Search
By default the ChangeAuditor Real-Time search (all events captured in the last 20 minutes) is
used to capture the events displayed on the Overview page. You can, however, select a
different ‘favorite’ search, which will then be used to populate the top pane on the Overview
page.
To define a 'favorite' search:
1. Open the Searches page (click Searches tab, select the F10 function key, or select
View | Searches menu command).
2. Select/highlight the search to be used, right-click and select the Set As My Favorite
menu command.
3. Open the Overview page, select F5 (or the Refresh button) to display the results of that
search in the My Favorite Search pane at the top of the Overview page.
Searches and Alerts
ChangeAuditor
65
Enabling/Disabling Alerts
Using the Searches page, you can enable (disable) alerting for individual search definitions and
dispatch them via SMTP (email), SNMP or WMI.
NOTE: Regardless of the alert state (enabled or disabled) the alert history for an alert-enabled
search is always available until it is removed using the Alert | Delete History rightclick menu command.
To enable SMTP (email) alerts for individual search definitions:
NOTE: In order to dispatch configuration change alerts through email (SMTP) you must first
enable email notification on the Repository Configuration page. See Configuring
Email Notifications on page 229.
1. Open the Searches page (click Searches tab, select the F10 function key, or select
View | Searches menu command).
2. Expand the Private or Shared folders in the explorer view to locate the search to which
an alert is to be associated. Select the search from the Search list box in the right-hand
pane.
3. Use one of the following methods to enable an alert:
• Right-click the search and select the Alert | Enable | SMTP command.
• Open the Alert tab and select (check) the SMTP check box and then the Alert
Enabled check box. (If the Search Properties tabs are not being displayed, rightclick the search definition and select the Show Properties menu command).
NOTE: If SMTP is not configured, a message box will display stating that the
repository email configuration has not been configured. Open the
Administration Tasks tab and use the Repository Configuration page to
configure SMTP.
4. Using either of these methods will display the Alert Custom Email dialog allowing you to
enter the email address of the person(s) who are to receive the alert.
5. In addition, you can use the Alert tab (Search Properties tabs) to specify the following:
• If you do not want to use the default settings (from Repository Configuration
page) for this alert, select the Configure Email button to display the Alert Custom
Email dialog to specify the details including the To address, the Reply To
address, and the Subject Line. In addition, from the Alert Custom Email dialog
you can access the Alert Body Configuration dialog to configure the body of the
email alert.
• By default a maximum of 100 events will be included in a single alert email. Use
the Batch setting to change this number.
• By default the alert processing will be assigned a medium priority. Use the Priority
setting to change this setting if you need the alert to be processed at a higher or
lower priority.
• By default the alert will be evaluated every minute to determine if the criteria has
been met and an alert is to be triggered. Use the Evaluation Frequency setting to
change how often the alert criteria is to be checked.
Searches and Alerts
66
ChangeAuditor
• If you want to specify under what conditions an alert is to be sent, select (check)
the Smart Alert Enabled check box and specify the number of events that must
occur within a specified time interval before generating/dispatching the alert.
• By default a smart alert is generated when the event is reported for the same
object the specified number of times. You can however, uncheck this option to
have the smart alert triggered when the event occurs on any object the specified
number of times.
NOTE: If using the Alert tab, be sure to select the Save button to save the alert
definition.
6. When an alert is enabled, the icon for the search will change to an alarm clock, the label
will change from ‘search’ to ‘alert’ and a green ‘Enabled’ entry will be added to the
Enabled column next to the alert on the Searches page.
To enable SNMP alerts for individual search definitions:
NOTE: In order to generate SNMP alerts, SNMP must be installed and the trap receiver must
be started.
1. Open the Searches page (click Searches tab, select the F10 function key, or select
View | Searches menu command).
2. Expand the Private and Shared folders in the explorer view to locate the search to
which an alert is to be associated. Select the search from the Search list box in the righthand pane.
3. Use one of the following methods to enable an alert:
• Right-click the search and select the Alert | Enable | SNMP command.
• Open the Alert tab at the bottom of the page, select (check) the SNMP check box,
then the Alert Enabled check box. (If the Search Properties tabs are not being
displayed, right-click the alert definition and select the Show Properties menu
command).
4. In addition, you can use the Alert tab (Search Properties tabs) to specify the following:
• By default the alert processing will be assigned a medium priority. Use the Priority
setting to change this setting if you need the alert to be processed at a higher or
lower priority.
• By default the alert will be evaluated every minute to determine if the criteria has
been met and an alert is to be triggered. Use the Evaluation Frequency setting to
change how often the alert criteria is to be checked.
• If you want to specify under what conditions an alert is to be sent, select (check)
the Smart Alert Enabled check box and specify the number of events that must
occur within a specified time interval before generating/dispatching the alert.
• By default a smart alert is generated when the event is reported for the same
object the specified number of times. You can however, uncheck this option to
have the smart alert triggered when the event occurs on any object the specified
number of times.
NOTE: If using the Alert tab, be sure to select the Save button to save the alert
definition.
Searches and Alerts
ChangeAuditor
67
5. When an alert is enabled, the icon for the search will change to an alarm clock, the label
will change from ‘search’ to ‘alert’ and a green ‘Enabled’ entry will be added to the
Enabled column next to the alert on the Searches page.
To enable WMI alerts for individual search definitions:
NOTE: In order to generate WMI alerts, WMI must be installed and started. A WMI event
consumer must also be running on the repository server.
1. Open the Searches page (click Searches tab, select the F10 function key, or select
View | Searches menu command).
2. Expand the Private and Shared folders in the explorer view to locate the search to
which an alert is to be associated. Select the search from the Search list box in the righthand pane.
3. Use one of the following methods to enable an alert:
• Right-click the search and select the Alert | Enable | WMI command.
• On the Alert tab, select (check) the WMI check box and then the Alert Enabled
check box. (If the Search Properties tabs are not being displayed, right-click the
alert definition and select the Show Properties menu command).
4. In addition, you can use the Alert tab (Search Properties tabs) to specify the following:
• By default the alert processing will be assigned a medium priority. Use the Priority
setting to change this setting if you need the alert to be processed at a higher or
lower priority.
• By default the alert will be evaluated every minute to determine if the creitera has
been met and an alert is to be triggered. Use the Evaluation Frequency setting to
change how often the alert criteria is to be checked.
NOTE: If using the Alert tab, be sure to select the Save button to save the alert
definition.
5. When an alert is enabled, the icon for the search will change to an alarm clock, the label
will change from ‘search’ to ‘alert’ and a green ‘Enabled’ entry will be added to the
Enabled column next to the alert on the Searches page.
To disable alerting:
1. Open the Searches page (click on the Searches tab, select the F10 function key, or use
the View | Searches menu command).
2. Expand the Private and Shared folders in the explorer view to locate the alert-enabled
search to be disabled. Select the alert from the Search list box in the right-hand pane.
3. Use one of the following methods to disable an alert:
• Right-click the alert and select the Alert | Disable command. A message box will
be displayed asking you to confirm that you want to disable the alert. Select Yes.
• Open the Alert tab, uncheck the Alert Enabled check box. (If the Search
Properties tabs are not being displayed, right-click the alert definition and select
the Show Properties menu command.)
NOTE: If using the Alert tab, select the Save button to apply the change.
Searches and Alerts
68
ChangeAuditor
4. When the alert is disabled, the green 'Enabled' entry in the Enabled column will change
to a red 'Disabled' entry.
To disable alerting transports:
In addition to disabling an alert, you can also disable the alerting transports for an alertenabled search. You must, however, use the Alert tab to complete this action.
1. Open the Searches page (click on the Searches tab, select the F10 function key, or use
the View | Searches menu command).
2. Expand the Private and Shared folders in the explorer view to locate the alert. Select
the alert from the Search list box in the right-hand pane.
3. Open the Alert tab and uncheck the WMI, SNMP and/or SMTP check box(es). (If the
Search Properties tabs are not being displayed, right-click the alert definition and select
the Show Properties menu command.)
4. Select the Save button to apply the change.
5. When the alert transports are all disabled (not checked), the 'alert' label will return to
'search' and nothing will be displayed in the Enabled column in the Search list box.
Viewing Alert History
For each enabled alert, two additional context menu commands become available whenever
you right-click an alert-enabled search definition on the Searches page: Alert | History and
Alert | Delete History.
NOTE: The Alert | History and Alert | Delete History right-click commands are available for
any search that has ever had an alert enabled in the current product version,
regardless of its current state. These commands are not available for disabled alerts,
only after the alert history has been deleted using the Alert | Delete History
command.
To view the alerts triggered for a search:
1. On the Searches page, select/highlight an alert-enabled search definition, right-click,
expand the Alert command and select the History option.
2. This will open a new Alert History page, which displays details regarding the alerts
triggered for the selected search.
To delete alert history:
1. On the Searches page, select/highlight an alert-enabled search, right-click, expand the
Alert command and select the Delete History option.
2. Selecting this command will clear the alert history for the selected alert.
Searches and Alerts
ChangeAuditor
69
Searches Page
The Searches page consists of the following main components:
• Tool Bar
• Explorer View
• Searches List Box
• Search Properties Tabs
Searches and Alerts
70
ChangeAuditor
Tool Bar
On the Searches page, use the tool bar buttons as described below:
Explorer View
Use the Explorer View button to show the explorer view in the left-hand pane of the
Searches page.
Grid View
Use the Grid View button to hide the explorer view and display only the Searches list box
on the Searches page.
New | New Search
Use the New button (or expand the New button and select the New Search command) to
create a new search definition. Selecting this button will enable the Search Properties tabs
across the bottom of the screen where you can then define the search criteria to be used
in the new search.
New | New Folder
Expand the New button and select the New Folder command to create a new folder in the
explorer view. Selecting this button will add a new folder under the container selected in the
explorer view.
Run
Use the Run button to run the search selected in the Searches list box (right-hand pane)
and display the events returned in a new Search Results page.
Print
Use the Print button to send the current search results to the designated printer. When you
select this command, the native Print dialog will be displayed allowing you to specify
various print options. This tool bar button is only available when the Grid View is displayed.
Print | Print to File
Expand the Print button and select the Print to File command to save the current search
results to an Excel (.xls) or Comma Delimited (.csv) file. When you select this command,
the native Save As dialog will be displayed allowing you to specify the location, file name
and type of file to be created. This tool bar button is only available when the Grid View is
displayed.
Print | Print Preview
Expand the Print button and select the Print Preview command to display the print layout
of the selected page prior to printing it. This tool bar button is only available when the Grid
View is displayed.
Print | Page Setup
Expand the Print button and select the Page Setup command to define the page settings
for printing. Selecting this command will display the native Page Setup dialog allowing you
to define the paper, page orientation and margins. This tool bar button is only available
when the Grid View is displayed.
Searches and Alerts
ChangeAuditor
71
Explorer View
The left-hand pane of the Searches page displays a hierarchical view of the folders used to
manage your search definitions and the built-in reports provided with ChangeAuditor.
This view initially displays the following folders:
• Quick Search Folder - allows you to define a search that is to be executed as soon as
the definition is finished. Unlike other custom searches, this search definition will not be
saved unless you select the Save As tool bar button on the Search Properties tab.
• Private - is used to store your personal custom searches (i.e., only you can see these
searches)
• Shared - is used to store public custom searches (i.e., all ChangeAuditor users can see
these searches)
•
Built-in Reports - contains all of the predefined reports provided with
ChangeAuditor
• Built-in SRS Reports - contains predefined SRS reports provided with ChangeAuditor
Searches and Alerts
72
ChangeAuditor
Right-clicking a folder in this view, displays the following commands:
Copy
Use the Copy command to copy the selected folder to the clipboard.
Cut
Use the Cut command to move the selected folder to the clipboard; removing it from it’s
current location in the explorer view.
Paste
Use the Paste command to paste the contents of the clipboard to the specified location in
the explorer view.
Delete
Use the Delete command to remove the selected folder from the explorer view. This
command is not available for the top-level containers or any of the Built-in SRS Reports
folders.
Move
Use the Move command to move the selected folder to another location in the
ChangeAuditor explorer view. Selecting this command will display the Select the
Destination Folder dialog allowing you to select the new location.
New | New Search
Expand the New command and select the New Search command to create a new search
definition. Selecting this command will activate the Search Properties tabs across the
bottom of the page allowing you to define the search criteria.
New | New Folder
Expand the New command and select the New Folder command to create a new folder in
the explorer view. Selecting this command adds a folder under the container selected in the
explorer view.
Rename
Use the Rename command to change the name of the selected folder.
Export
Use the Export command to export the folder structure and XML files for each search in
these folders. Selecting this command will display the Browse for Folder dialog allowing you
to specify where to save the selected folder and its contents.
Import Search
Use the Import Search command to import a previously exported search. Selecting this
command will display the native Open dialog allowing you to locate and select the search
(XML file) to be imported.
Import Folder
Use the Import Folder command to import a previously exported folder and its contents
(searches). Selecting this command will display the Browse for Folder dialog allowing you
to locate and select the folder to be imported.
Searches and Alerts
ChangeAuditor
73
Create Report(s) Using SQL Reporting Services
Use the Create Report(s) Using SQL Reporting Services command to create managed
reports for all searches in the selected folder using SQL Reporting Services. This command
will display the Create Report dialog allowing you to define the parameters and credentials
to be used to create and publish ChangeAuditor reports in SQL Reporting Services.
For more information on using SQL Reporting Services to publish reports and the Create
Report dialog, please refer to Publishing Reports to SRS on page 252.
Expand All
Use the Expand All command to expand the hierarchical view to display all of the objects
in the explorer view.
Collapse All
Use the Collapse All command to collapse the hierarchical view to display only the top
level containers (folders) in the explorer view.
Show Properties
Use the Show Properties command to display the Search Properties tabs for the selected
search definition.
Hide Properties
Use the Hide Properties command to hide the Search Properties tabs.
Searches List Box
The right-hand pane of the Searches page displays a list of the search definitions or built-in
reports contained in the folder selected in the explorer view.
Searches and Alerts
74
ChangeAuditor
The following information is displayed for each search definition:
• Type - displays the type of entry: Private Search, Shared Search, Private Alert, Shared
Alert or Report.
• Enabled - indicates whether an alert has been enabled (N/A for Reports). Valid entries
for this field are:
•
Enabled - which means that an alert is enabled and that at least one transport
method is enabled.
•
Disabled - which means that the alert is disabled; however at least one transport
method is still enabled.
• Name - displays the name assigned to the search definition.
Double-clicking a search definition will run the selected search and display the results in a new
Search Results page.
Right-clicking an entry in this view, displays the following commands:
Copy
Use the Copy command to make a copy of the selected search definition in a different
folder in the explorer view. Once copied, the search can then be pasted into another folder
in the explorer view.
Cut
Use the Cut command to move the selected search definition to a different folder in the
explorer view. Once cut, the search can then be pasted (or moved) to another folder in the
explorer view.
Paste
Use the Paste command to paste the contents of the clipboard to the specified location in
the explorer view.
Delete
Use the Delete command to remove the selected search definition from the Searches list
box.
Move
Use the Move command to move the selected search definition to a different folder in the
explorer view. Selecting this command will display the Select the Destination Folder dialog
allowing you to select the new location.
New | New Search
Expand the New command and select the New Search command to create a new search
definition.
New | New Folder
Expand the New command and select the New Folder command to create a new folder in
the explorer view. Selecting the command will add a new folder under the container
selected in the explorer view.
Searches and Alerts
ChangeAuditor
75
Run
Use the Run command to run the selected search and display the events returned in a new
Search Results page.
Export
Use the Export command to export the XML representation of the selected search.
Selecting this command will display the Browse for Folder dialog allowing you to specify
where to save the selected search.
NOTE: To preview the XML representation of a search, open the XML tab (Action |
Show XML tab), which is one of the Search Properties tabs.
Run Local Report
Use the Run Local Report command to create a new Report page which displays an SRS
rendering of the events returned as a result of running the selected search or built-in report
definition.
For more information on generating these local reports, please refer to Generating/Viewing
Reports through the ChangeAuditor Client on page 248.
Create Report(s) using SQL Reporting Services
Use the Create Report(s) Using SQL Reporting Services command to create managed
reports for all searches in the selected folder using SQL Reporting Services. This command
will display the Create Report dialog allowing you to define the parameters and credentials
to be used to create and publish ChangeAuditor reports in SQL Reporting Services.
For more information on using SQL Reporting Services to publish reports and the Create
Report dialog, please refer to Publishing Reports to SRS on page 252.
Alert | Enable
Expand the Alert command and select one of the Enable commands to enable SMTP,
SNMP or WMI alerting for the selected search definition.
Alert | Disable
Expand the Alert command and select the Disable command to disable alerting for the
selected search definition.
Alert | History
Expand the Alert command and select the History option to display the alert history for the
selected search. Selecting this command will open a new Alert History page (similar to the
Search Results page) listing the events that triggered the alert.
Alert | Delete History
Expand the Alert command and select the Delete History option to clear the alert history
for the selected search.
Set As My Favorite
Use the Set As My Favorite command to display the results of the selected search in the
My Favorite Search pane at the top of the Overview page whenever the ChangeAuditor
Client is launched.
Searches and Alerts
76
ChangeAuditor
Show Properties
Use the Show Properties command to display the Search Properties tabs for the selected
search definition.
Hide Properties
Use the Hide Properties command to hide the Search Properties tabs.
Search Properties Tabs
Located across the bottom of the page, the Search Properties tabbed pages define the criteria
or properties which make up the selected search.
The tabbed pages displayed are:
• Info - allows you to enter a name and description for the search
• Who - allows you to define the users, computers and groups to be included (or excluded)
• What - allows you to define "what" is to be included (or excluded)
• Where - allows you to define the site, domain and agents where the search is to be
conducted (or not conducted)
• When - allows you to define a date/time range to limit your search
• Why - allows you to search the comments for a specific word or string of characters
• Alert - allows you to enable as well as define how and where to dispatch alerts
In addition, the following tabs can be displayed using the appropriate Action menu command:
• SQL - displays the SQL script used to create the selected search definition (Action |
Show SQL Tab)
• XML - displays the XML representation of the search criteria (Action | Show XML Tab)
• Advanced - allows you to define the data (columns) to be retrieved from the database
and the sort order for displaying the retrieved data (Action | Show Advanced Tab)
Use one of the following methods to display/activate these tabs:
• right-click a search definition in the Search list (right-hand pane) and select the Show
Properties menu command
• select a search definition from the Search list and select the New | New Search tool bar
button or right-click command
Searches and Alerts
ChangeAuditor
77
Use the controls in the upper right-hand corner of the Search Properties tab pane to pin/unpin
or hide this pane:
Use the Pin Properties button to collapse the tabs and pin them to the bottom of
the screen.
Use the Unpin Properties button to expand/display the pinned tabs.
Use the Hide Properties button to close the Search Properties tabs.
Info Tab
The Info tab is the first of the Search properties tabs which are displayed across the bottom of
the Searches page and a Search Results page if the Search Properties tool bar button is
selected. From this tab, you can view or enter the name and description of a search definition.
The Info tab contains the following information:
Search Name
This text box displays the name of the selected search. When creating a new search, place
your cursor in the Search Name text box and enter a descriptive name for the search.
Search Description
Place your cursor in the Search Description text box and enter a brief description of the
search.
Search Limit
The Search Limit field specifies the maximum number of records to be retrieved and
displayed by the client. By default, a maximum of 50,000 records will be returned from the
database during a single request. Select (check) this check box and use the arrow controls
to change the search limit for the selected search.
Refresh Interval
The Refresh Interval field specifies how often the client is to retrieve and redisplay updated
information. Select (check) this check box and use the arrow controls to enable and set the
refresh interval for the selected search.
When this option is checked, an additional field, Next Refresh, will be added to the heading
area of the search results grid.
Searches and Alerts
78
ChangeAuditor
NOTE: This option is not checked by default for new searches, only for the default
favorite search (ChangeAuditor Real-Time) used in the Overview page. The
default interval for the default favorite search is five minutes.
Use the tool bar buttons across the top of the Info tab as described below:
Save
Use the Save button to save the newly defined search criteria. When saved, the search
definition will be listed in the right-hand pane of the Searches page.
Save As
Use the Save As button to save the search definition using a different name and/or
location. Selecting this button will display the Save As dialog to specify the folder where the
search is to be saved and the name for the new search definition.
Run
Use the Run button to run the search and display the results in a new Search Results page.
This button is only available when accessing the search properties from the Searches
page.
Preview Changes
Use the Preview Changes button to run the search based on the changes made to the
selected search definition and display the results in the current Search Results page. This
button is only available when accessing the search properties from a Search Results page
and an edit has been made to the search criteria for the selected search.
Who Tab
The Who tab is the second Search properties tab, which is displayed across the bottom of the
Searches page and a Search Results page when the Search Properties tool bar button is
selected.
NOTE: You can add a Group to a search to find all events made by the members of that
group. ChangeAuditor must expand and store the membership of the group before all
expected events are returned when the search is run. When the search is saved,
ChangeAuditor will expand the Group if it has not already been expanded. This may
take several minutes, depending on your environment. Please refer to Group
Membership Expansion Pane on page 237 for the options available regarding group
expansion.
NOTE: Activity performed by any accounts specified in an Excluded Accounts template will
not be captured for the agent(s) to which this template is assigned. Thus,
ChangeAuditor will not return any audited events for these excluded accounts even if
you specify them in your Who search criteria. For more information on excluding
accounts, please refer to Chapter 11: Account Exclusion on page 207.
Searches and Alerts
ChangeAuditor
79
Use the Who tab to view or define the users, computers and/or groups to be included in (or
excluded from) the search definition.
Runtime Prompt
Select/check this check box to prompt for the who criteria when this search is run. That is,
when the Run tool bar button is selected, the Select one or more Directory Objects dialog
will be displayed allowing you to locate and select the user(s), computer(s) or group(s) to
be audited.
NOTE: When this check box is checked, the Add tool bar button will be deactivated.
Exclude the Following Selection(s)
Select (check) this check box to specify the user(s), computer(s) or group(s) to be excluded
from the search. That is, ChangeAuditor is to search for change events generated by all
users, groups and computers except those listed.
Who List Box
The Who list box will contain the individual user(s), computer(s) and/or group(s) to be
included in the search (or excluded from the search if the Exclude the Following
Selection(s) option is checked).
By default, all users, computers and groups will be included in a new search definition,
therefore, this list box will be empty.
Use the tool bar buttons across the top of the Who tab as described below:
Save
Use the Save button to save the newly defined search criteria. When saved, the search
definition will be listed in the right-hand pane of the Searches page.
Save As
Use the Save As button to save the search definition using a different name and/or
location. Selecting this button will display the Save As dialog to specify the folder where the
search is to be saved and the name for the new search definition.
Run
Use the Run button to run the search and display the results in a new Search Results page.
This button is only available when accessing the search properties from the Searches
page.
Searches and Alerts
80
ChangeAuditor
Preview Changes
Use the Preview Changes button to run the search based on the changes made to the
selected search definition and display the results in the current Search Results page. This
button is only available when accessing the search properties from a Search Results page
and an edit has been made to the search criteria for the selected search.
Add
Use the Add button to add an active user, computer or group to the 'who' list. Selecting this
button will display the Select One or More Directory Objects dialog where you can specify
individual users, computers or groups to be included in the search (or excluded if the
Exclude the Following Selection(s) option is checked). From this dialog, select/highlight
the user, computer or group to be added and select the Add button to add it to your
selection list. After selecting one or more directory objects, use the Select button to save
your selection and close the dialog.
Add With Events
Use the Add With Events button to add a user, computer or group associated with an
event in the database. Selecting this button will display the Add Users, Computers and
Groups dialog which contains a list of the users, computers and groups that have an
audited event in the repository database. On this dialog, select/highlight the entry to be
added and use the Add button to add it to your selection list.
NOTE: You can use this feature to search for existing events that are tied to users who
have been removed from Active Directory.
Delete
Use the Delete button to remove the selected user, computer or group from the search
definition. From the Who list box, select/highlight the entry to be removed and select the
Delete button. This button is enabled when there are entries in the Who list box.
What Tab
The What tab is the third Search properties tab, which is displayed across the bottom of the
Searches page and a Search Results page when the Search Properties tool bar button is
selected.
Searches and Alerts
ChangeAuditor
81
Use the What tab to define 'what' entities are to be included (or excluded) in the search. More
specifically, using this tab you can create a search for events based on:
• Subsystem
• Event Class
• Object Class
• Severity
What List Box
By default, all entities will be included in a new search definition and therefore this list box
will be empty. Once criteria is selected, the list box will display the following information for
all of the 'what' criteria defined for the search definition:
Entity
This column lists the entity (subsystem, event class, object class or severity) selected.
Expanding the Entity entry will display the specific criteria selected and any options,
restrictions, etc. defined as part of the search criteria.
Exclude
This column indicates whether the criteria is to be included in (False) or excluded from
(True) the search definition.
Action(s)
This column lists the action(s) specified in the search criteria.
Use the tool bar buttons across the top of the tab as described below:
Save
Use the Save button to save the newly defined search criteria. When saved, the search
definition will be listed in the right-hand pane of the Searches page.
Save As
Use the Save As button to save the search definition using a different name and/or
location. Selecting this button will display the Save As dialog to specify the folder where the
search is to be saved and the name for the new search definition.
Run
Use the Run button to perform the search and display the results in a new Search Results
page. This button is only available when accessing the search properties from the
Searches page.
Preview Changes
Use the Preview Changes button to run the search based on the changes made to the
selected search definition and display the results in the current Search Results page. This
button is only available when accessing the search properties from a Search Results page
and an edit has been made to the search criteria for the selected search.
Searches and Alerts
82
ChangeAuditor
Add
Use the Add button to specify the entity (subsystem, event class, object class or severity)
to be included in the search definition. By default, the Add Facilities or Event Classes dialog
will be displayed when you select the Add button. You can also use the drop-down arrow
to the right of this button to display a drop-down menu to select a different entity.
Subsystem | Active Directory
Expand the Subsystem command and select the Active Directory option to search
for changes to Active Directory objects in selected containers. Selecting this option will
display the Add Active Directory Container dialog to select the container(s), scope and
action(s) to be included in the search definition.
Subsystem | Exchange
Expand the Subsystem command and select the Exchange option to capture events
in selected Exchange containers. Selecting this option will display the Add Exchange
Containers dialog to select the container(s), scope and action(s) to be included in the
search definition.
NOTE: Exchange auditing is only available if you have licensed the ChangeAuditor for
Exchange add-on module.
Subsystem | ChangeAuditor Event
Expand the Subsystem command and select the ChangeAuditor Event option to
search for specific ChangeAuditor events. Selecting this option will display the Add
ChangeAuditor Events dialog to select the ChangeAuditor events to be included in the
search definition.
Subsystem | Computer Event
Expand the Subsystem command and select the Computer Event option to search
for specific computer events. Selecting this option will display the Add Computer
Events dialog to select the Computer events to be included in the search definition.
Subsystem | File System
Expand the Subsystem command and select the File System option to search for
specific File System events. Selecting this option will display the Add File System Path
dialog to define the file system path to be included in the search definition.
NOTE: File System auditing is only available if you have licensed the ChangeAuditor for
File System add-on module and you have applied custom File System Auditing
templates that define the files/folders to be audited.
Subsystem | Group Policy
Expand the Subsystem command and select the Group Policy option to search for
changes to specific group policy objects. Selecting this option will display the Add
Group Policy Container dialog to locate and select one or more group policy objects to
be included in the search definition.
Searches and Alerts
ChangeAuditor
83
Subsystem | Local Account
Expand the Subsystem command and select the Local Account option to search for
changes to users or groups that reside in the local SAM databases of a member server.
Selecting this option will display the Add Local Account dialog to locate and select the
local account(s) to be included in the search definition.
Subsystem | Registry
Expand the Subsystem command and select the Registry option to search for
changes to specific System Registry keys. Selecting this option will display the Add
Registry Key dialog to locate and select the registry key(s) to be included in the search
definition.
NOTE: Registry auditing is only available when you have applied custom Registry
Auditing templates that define the registry changes to be audited.
Subsystem | Service
Expand the Subsystem command and select the Service option to search for changes
to specific services. Selecting this option will display the Select a Directory Object
dialog to first select a computer and then the Add Services dialog to select the
service(s) to be included in the search definition.
Subsystem | SQL
Expand the Subsystem command and select the SQL option to search for changes to
specific SQL instances. Selecting this option will display the Add SQL Instance dialog
to locate and select the SQL instance(s) to be included in the search definition.
NOTE: SQL auditing is only available if you have licensed the ChangeAuditor for SQL
add-on module and you have applied custom SQL Server Auditing templates to
define the SQL instances to be audited.
Event Class
Use the Event Class option to search for events based on the Event Class or Facility
they belong to. That is, you want to search for an individual event class or all of the
associated event classes included in a selected facility. Selecting this option will display
the Add Facilities or Event Classes dialog to select one or more event classes or
facilities to be included in the search definition.
NOTE: This is the default dialog displayed when the Add button is selected.
Object Class
Use the Object Class option to search for changes to specific object classes (a.k.a.
classSchema objects). Selecting this option will display the Add Object Classes dialog
to select one or more object classes to be included in the search definition.
Severity
Use the Severity option to search for events based on the severity (high, medium or
low) assigned. Selecting this option will display the Add Severities dialog to select one
or more severity levels to be included in the search definition.
Searches and Alerts
84
ChangeAuditor
Add With Events
Use the Add With Events button options to search for an entity that already has an audited
event in the repository database. By default, the Add Facilities or Event Classes dialog will
be displayed when you select the Add With Events button. However, selecting the dropdown arrow to the right of this button will display a drop-down menu allowing you to select
a different entity.
Subsystem | Active Directory
Expand the Subsystem command and select the Active Directory option to search
for change events in Active Directory containers that already have an audited event
associated with it in the repository database. Selecting this option will display the Add
Active Directory Containers dialog to select the container(s) to be included in the
search definition.
Subsystem | Exchange
Expand the Subsystem command and select the Exchange option to search for
change events in Exchange containers that already have an audited event associated
with it in the repository database. Selecting this option will display the Add Exchange
Containers dialog to select the container(s) to be included in the search definition.
NOTE: Exchange auditing is only available if you have licensed the ChangeAuditor for
Exchange add-on module.
Subsystem | ChangeAuditor Event
Expand the Subsystem command and select the ChangeAuditor Event option to
search for ChangeAuditor events that already have an audited event in the repository
database. Selecting this option will display the Add ChangeAuditor Events dialog to
select the ChangeAuditor events to be included in the search definition.
Subsystem | Computer Event
Expand the Subsystem command and select the Computer Event option to search
for computer events that already have an audited event in the repository database.
Selecting this option will display the Add Computer Events dialog to select the
Computer events to be included in the search definition.
Subsystem | File System
Expand the Subsystem command and select the File System option to search File
System paths that already have an audited event in the repository database. Selecting
this option will display the Add File System Path dialog to define the file system path to
be used.
NOTE: File System auditing is only available if you have licensed the ChangeAuditor for
File System add-on module and you have applied custom File System Auditing
templates that define the files/folders to be audited.
Searches and Alerts
ChangeAuditor
85
Subsystem | Group Policy
Expand the Subsystem command and select the Group Policy option to search for
change events in Group Policy containers that already have an audited event
associated with it in the repository database. Selecting this option will display the Add
Group Policy Containers dialog to select one or more group policy containers to be
included in the search definition.
Subsystem | Local Account
Expand the Subsystem command and select the Local Account option to search for
change events to local user or group accounts that already have an audited event in
the repository database. Selecting this option will display the Add Local Account dialog
to select the local account(s) to be included in the search definition.
Subsystem | Registry
Expand the Subsystem command and select the Registry option to search for change
events in System Registry keys that already have an audited event in the repository
database. Selecting this option will display the Add Registry Key dialog to select the
registry key(s) to be included in the search definition.
NOTE: Registry auditing is only available when you have applied custom Registry
Auditing templates that define the registry changes to be audited.
Subsystem | Service
Expand the Subsystem command and select the Service option to search for change
events to services that already have an audited event in the repository database.
Selecting this option will display the Add Services dialog to select the service(s) to be
included in the search definition.
Subsystem | SQL
Expand the Subsystem command and select the SQL option to search for change
events to SQL instances that already have an audited event in the repository database.
Selecting this option will display the Add SQL Instance dialog to select the SQL
instance(s) to be included in the search definition.
NOTE: SQL auditing is only available if you have licensed the ChangeAuditor for SQL
add-on module and you have applied custom SQL Server Auditing templates to
define the SQL instances to be audited.
Event Class
Use the Event Class option to search on event classes or facilities that already have
an audited event in the repository database. Selecting this option will display the Add
Facilities or Event Classes dialog to select one or more event classes or facilities to be
included in the search definition.
NOTE: This is the default dialog displayed when the Add With Events button is
selected.
Searches and Alerts
86
ChangeAuditor
Object Class
Use the Object Class option to search for change events to object classes that already
have an audited event in the repository database. Selecting this option will display the
Add Object Classes dialog to select one or more object classes to be included in the
search definition.
Severity
Use the Severity option to search for events based on severity levels that already have
an audited event in the repository database. Selecting this option will display the Add
Severities dialog to select one or more severity levels.
Delete Criteria
Use the Delete Criteria button to remove the selected entry from the search definition.
Select/highlight the entry to be removed and select the Delete Criteria button and when
prompted, confirm you want to delete the selected entry.
Edit Event Class
The Edit Event Class button is displayed when an entry in the list box is selected. Use the
Edit button to launch the appropriate dialog to modify the 'what' criteria defined.
Where Tab
The Where tab is the fourth Search properties tab, which is displayed across the bottom of the
Searches page and a Search Results page when the Search Properties tool bar button is
selected.
Use the Where tab to specify which NetPro Compliance Agents are to be included (or excluded)
in the search definition. You can select individual NetPro Compliance Agents, all agents in a
specific domain or in a given site.
Runtime Prompt
Select (check) the Runtime Prompt check box to prompt for the 'where' criteria when the
search is run. That is, when the Run tool bar button is selected, the Select one or more
Directory Objects dialog will be displayed allowing you to locate and select the agent(s),
domain(s) or site(s) to be included in the search definition.
Exclude the Following Selection(s)
Select (check) this check box to specify the agent(s), domain(s) or site(s) to be excluded
from the search. That is, ChangeAuditor is to return events generated from all NetPro
Compliance Agents except those listed in the Where list box.
Searches and Alerts
ChangeAuditor
87
Where List Box
By default, all agents will be included in a new search, therefore, this list box will be empty.
Once criteria is selected, the Where list box will contain the agent(s), domain(s), and
site(s) to be included in the search definition (or excluded if the Exclude the Following
Selection(s) option is checked).
Use the tool bar buttons across the top of this tab as described below:
Save
Use the Save button to save the newly defined search criteria. When saved, the search
definition will be listed in the right-hand pane of the Searches page.
Save As
Use the Save As button to save the search definition using a different name and/or
location. Selecting this button will display the Save As dialog to specify the folder where the
search is to be saved and the name for the new search definition.
Run
Use the Run button to run the search and display the results in a new Search Results page.
This button is only available when accessing the search properties from the Searches
page.
Preview Changes
Use the Preview Changes button to run the search based on the changes made to the
selected search definition and display the results in the current Search Results page. This
button is only available when accessing the search properties from a Search Results page
and an edit has been made to the search criteria for the selected search.
Add
Use the Add button to add an agent, domain or site to this search definition. This will display
the Select One or More Directory Objects dialog which provides a list of the available sites,
domains and agents that can be included. From this dialog, select the site, domain or
individual agent to be included and select the Add button. Once you have completed your
selections, use the Select button to save your selections and close the dialog. The selected
agent/domain/site will then appear in the Where list box.
Add With Events
Use the Add With Events button to add an agent, domain or site which has an audited
event in the database. Selecting this button will display the Add Agents, Domains, Sites
dialog which contains a list of the agents, domains and sites that have an audited event in
the repository database. On this dialog, select/highlight the agent, domain or site to be
included and select the Add button. Once you have completed your selections, use the OK
button to save your selections and close the dialog. The selected agent/domain/site will
then appear in the Where list box.
Delete
To remove an agent, domain or site from the search definition, select/highlight the agent/
domain/site to be removed and select the Delete button.
Searches and Alerts
88
ChangeAuditor
When Tab
The When tab is the fifth Search properties tab, which is displayed across the bottom of the
Searches page and a Search Results page when the Search Properties tool bar button is
selected.
Use the When tab to define a date and/or time range to limit your search to include only those
events that occur during the selected range(s).
Runtime Prompt
Select/check this Runtime Prompt check box to prompt for the date and/or time interval
each time this search is run. That is, when the Run tool bar button is selected, the When
dialog will be displayed allowing you to specify the date/time range to be used in your
search.
NOTE: When this check box is checked, the Date/Time Interval settings will not be
available on this dialog.
Date Interval
Check one of these options to activate the following controls to specify a date range to limit
your search:
•
From - select/enter the starting date for your date range. That is, only events that
occurred on or after this date will be included in the search.
•
To - select/enter the ending date for your date range. That is, only events that
occurred before or on this date will be included in the search.
•
Last - select the appropriate relative date and value (i.e., number of minutes,
hours, days, weeks, months, quarters, or years). (Last 7 days is selected by default
for new searches.)
NOTE: Relative dates are calculated based on the actual date and time when the
search is started.
Time Interval
Use the Time Interval controls to specify a time range to further limit your search:
•
From - select/enter the starting time for your time range. That is, only events that
occurred at or after this time will be included in the search.
•
To - select/enter the ending time for your time range. That is, only events that
occurred before or at this time will be included in the search.
Searches and Alerts
ChangeAuditor
89
Use the tool bar buttons across the top of the tab as described below:
Save
Use the Save button to save the newly defined search criteria. When saved, the search
definition will be listed in the right-hand pane of the Searches page.
Save As
Use the Save As button to save the search definition using a different name and/or
location. Selecting this button will display the Save As dialog to specify the folder where the
search is to be saved and the name for the new search definition.
Run
Use the Run button to run the search and display the results in a new Search Results page.
This button is only available when accessing the search properties from the Searches
page.
Preview Changes
Use the Preview Changes button to run the search based on the changes made to the
selected search definition and display the results in the current Search Results page. This
button is only available when accessing the search properties from a Search Results page
and an edit has been made to the search criteria for the selected search.
Why Tab
The Why tab is the sixth Search properties tab, which is displayed across the bottom of the
Searches page and a Search Results page when the Search Properties tool bar button is
selected. The Why tab allows you to search previously added comments for a specific word or
string of characters.
Runtime Prompt
Select (check) the Runtime Prompt option to prompt for the 'why' criteria when the search
is run. That is, when the Run tool bar button is selected, the Why dialog will be displayed
allowing you to enter the word or string of characters to be used in your search.
NOTE: When this check box is checked, the Search for comments field will not be
available on this dialog.
Search for comments
Enter the comments (word or string of characters) to be included in the search criteria.
Searches and Alerts
90
ChangeAuditor
Use the tool bar buttons on this tab as described below:
Save
Use the Save button to save the newly defined search criteria. When saved, the search
definition will be listed in the right-hand pane of the Searches page.
Save As
Use the Save As button to save the search definition using a different name and/or
location. Selecting this button will display the Save As dialog to specify the folder where the
search is to be saved and the name for the new search definition.
Run
Use the Run button to run the search and display the results in a new Search Results page.
This button is only available when accessing the search properties from the Searches
page.
Preview Changes
Use the Preview Changes button to run the search based on the changes made to the
selected search definition and display the results in the current Search Results page. This
button is only available when accessing the search properties from a Search Results page
and an edit has been made to the search criteria for the selected search.
Alert Tab
The Alert tab is the seventh Search properties tab, which is displayed across the bottom of the
Searches page and a Search Results page when the Search Properties tool bar button is
selected.
Use the Alert tab to enable an alert for the search definition and define how and where to
dispatch the alert, via SMTP (email), SNMP or WMI.
Alert Enabled
Select (check) the Alert Enabled check box to enable an alert for the current search
definition. This option will became available only after one of the transport methods are
selected (checked) in the Send Alert To section of this tab.
Send Alert To:
Select (check) all of the transport options that are to be applied to this search definition:
SNMP
Select this option to dispatch ChangeAuditor alerts for this search definition via SNMP
traps.
Searches and Alerts
ChangeAuditor
91
WMI
Select this option to dispatch ChangeAuditor alerts for this search definition via WMI
(Windows Management Instrumentation) events.
SMTP
Select this option to dispatch alerts for this search definition via email. Selecting this
option will display the Alert Custom Email dialog allowing you to specify the email
address of the person(s) who are to receive the email notification.
Configure Email
Select this button to display the Alert Custom Email dialog to change the details about the
alert email to be sent, including the To address, the Reply To address, and the Subject
Line. In addition, from the Alert Custom Email dialog you can access the Alert Body
Configuration dialog to configure the body of the email alert.
NOTE: If SMTP is not configured, a message box will display stating that the repository
email configuration has not been configured. Open the Administration Tasks tab
and use the Repository Configuration page to configure SMTP.
Batch Size
By default, a maximum of 100 events will be included in a single alert email. Use the arrow
controls to increase or decrease this value to define the maximum number of events to be
included in an email. This setting is only available for SMTP alerting.
Priority
Select the priority to be assigned to alert processing. Use the drop-down menu to select
one of the following priorities:
•
High
•
Medium (default)
•
Low
Evaluation Frequency
By default this alert will be evaluated to see if it meets the specified criteria every minute.
Use the arrow controls to modify this setting if you want to delay the evaluation of alerts.
Smart Alert Enabled
Select this check box to specify under what conditions an alert is to be sent. This feature is
only available for SMTP and SNMP notifications.
Send alert when <nn> Events occur within <nn> <interval>
Select (check) this option to specify the number of events that must occur within a
specified time interval before generating/dispatching the alert.
Where: <interval> is one of the following: minutes, hours or days
On A Single Object
This check box is selected by default and specifies that the event must occur for the
same object the specified number of times before the alert will be triggered. When this
check box is not checked, the event can occur on any object the specified number of
times to trigger the alert.
Searches and Alerts
92
ChangeAuditor
Use the tool bar buttons across the top of the Alert tab as described below:
Save
Use the Save button to save the newly defined search criteria. When saved, the search
definition will be listed in the right-hand pane of the Searches page. When an alert is
enabled, the icon for the search will change to an alarm clock and a green check mark
symbol will be added to the Enabled column next to the alert on the Searches page.
Save As
Use the Save As button to save the search definition using a different name and/or
location. Selecting this button will display the Save As dialog to specify the folder where the
search is to be saved and the name for the new search definition.
Run
Use the Run button to run the search and display the results in a new Search Results page.
This button is only available when accessing the search properties from the Searches
page.
Preview Changes
Use the Preview Changes button to run the search based on the changes made to the
selected search definition and display the results in the current Search Results page. This
button is only available when accessing the search properties from a Search Results page
and an edit has been made to the search criteria for the selected search.
SQL Tab
The SQL tab is one of the Search Properties tabs, which is displayed across the bottom of the
Searches page or a Search Results page when the Search Properties tool bar button is
selected. This tab displays the SQL query built to run the selected search. This information is
only available once a search has been created.
NOTE: The SQL tab is hidden by default. To display the SQL tab, use the Action | Show SQL
Tab menu command.
XML Tab
The XML tab is one of the Search Properties tabs, which is displayed across the bottom of the
Searches page and a Search Results page when the Search Properties tool bar button is
selected. This tab displays the XML representation of the search criteria. This same information
can be exported by right-clicking a search in the Searches list box on the Searches page and
selecting the Export command.
NOTE: The XML tab is hidden by default. To display the XML tab, use the Action | Show XML
Tab menu command.
Searches and Alerts
ChangeAuditor
93
Advanced Tab
The Advanced tab is displayed along with the Search Properties tabs when the Action | Show
Advanced Tab menu command is selected. The controls on this tab allow you to define the
data (columns) to be retrieved from the database and displayed in the client for the selected
search. From this tab you can also define column order, sort order and grouping for displaying
the retrieved data. The settings on this tab are also used when publishing reports through SQL
Server Reporting Services (SRS), using the dynamically generated report template (default)
option.
The Advanced tab contains the following information:
Retrieve Data table
The left-most table allows you to select the event details that are to be retrieved from the
database for display in the client.
Columns
This column displays the event details that can be retrieved from the database.
Select
This column indicates whether the event details are being retrieved from the database.
To include/exclude event details, place your cursor in the corresponding cell in the
Select column and use the arrow control to select Yes to include or No to exclude the
data. When a column is selected (Yes in the Select column) it will be added to the
Display Data table where you can then specify the order, sort direction and grouping
for the new data.
Searches and Alerts
94
ChangeAuditor
The following table displays an alphabetical list of the event details that can be
retrieved from the database and displayed in the client.
Action
Policy Section
Attribute Name
Principal name
Comment
Principal Type
Day Detected
Quarter Detected
DC
Registry Key
Description
Registry Value
Domain
Server
Event
Service DisplayName
Facility
Service Name
File Name
Severity
FileSystem Attribute
Share Name
FileSystem Type
Site
Folder Path
Subsystem
From
Time Detected
Link
Time of Day
Month Detected
Time Received
Object Canonical
To
Object Class
User
Object Name
User Account
Object OU
User Domain
Policy Canonical
User SID
Policy Item
Week Detected
Policy Name
Year Detected
Policy OU
Use the buttons to the right of this table as described below:
Move Up
Use the Move Up button to rearrange the columns moving the selected column up in
the list.
Move Down
Use the Move Down button to rearrange the columns moving the selected column
down in the list.
Searches and Alerts
ChangeAuditor
95
Defaults
Use the Defaults button to reset the column arrangement to the factory default.
Display Data table
The right-most table displays the event details to be displayed in the Search Results page
(and My Favorite Search grid on the Overview page) for the current search. It also specifies
the sort order and data groupings for the event details being displayed.
Order By
This column lists the event details selected for display in the ChangeAuditor Client and
the order in which they will appear.
Direction
This column specifies the sort order for each of the columns: ascending (ASC),
descending (DESC) or none. To change the sort order, place your cursor in the
corresponding cell in the Direction column and select ASC, DESC or none.
NOTE: When you use the Group By option for a column, ASC will automatically be
specified in the Direction column. However, this can be changed to DESC as
explained above. Changing this to None, however, will remove the grouping.
Group By
This column indicates whether the displayed information is to be grouped. (Similar to
selecting a column heading in the search results grid and dragging it to the space
above the table to group the displayed information.) To group/ungroup data, place your
cursor in the corresponding cell in the Group By column and select Yes to group the
data or No to remove a grouping.
Use the buttons to the right of this table as described below:
Move Up
Use the Move Up button to rearrange the columns moving the selected column up in
the list and to the left in the client display.
Move Down
Use the Move Down button to rearrange the columns moving the selected column
down in the list and to the right in the client display.
Defaults
Use the Defaults button to reset the column arrangement to the factory default.
Use the tool bar buttons across the top of the Advanced tab as described below:
Save
Use the Save button to save the newly defined search criteria. When saved, the search
definition will be listed in the right-hand pane of the Searches page. (Use the Refresh
button to view the new column arrangement in the client.)
Save As
Use the Save As button to save the search definition using a different name and/or
location. Selecting this button will display the Save As dialog to specify the folder where the
search is to be saved and the name for the new search definition.
Searches and Alerts
96
ChangeAuditor
Run
Use the Run button to run the search and display the results in a new Search Results page.
This button is only available when accessing the search properties from the Searches
page.
Preview Changes
Use the Preview Changes button to run the search based on the changes made to the
selected search definition and display the results in the current Search Results page. This
button is only available when accessing the search properties from a Search Results page
and an edit has been made to the search criteria for the selected search.
Search Properties - Who Tab Dialogs
Depending on the Add tool bar button (Add or Add With Events) selected on the Who search
properties tab, one of two dialogs will be displayed from which you can select the user(s),
computer(s) and/or group(s) to be included in the selected search criteria.
Select One or More Directory Objects Dialog
The Select One or More Directory Objects dialog is displayed when the Add tool bar button is
selected on the Who search properties tab. From this dialog, use either the Browse or Search
page to search your environment to locate and select the user(s), computer(s) or group(s) to
be included in the search. Use the Options page to view or modify the search options or global
catalog to be used to retrieve directory objects.
See Using the Object Picker on page 38 for a description of the Browse, Search and
Options pages. Note that the Find field on this dialog will display User, Computer, Group
and cannot be changed.
Searches and Alerts
ChangeAuditor
97
Add Users, Computers and Groups Dialog
The Add Users, Computers or Groups dialog is displayed when you select the Add With
Events tool bar button on the Who search properties tab. This dialog contains a list of all the
users, computers and groups that have an audited event associated with it in the repository
database. To select an item from this list, select/highlight one or more items from the list box
located at the top of the dialog and use the Add button to add the item(s) to the selection list
box, located at the bottom of the dialog. Once you have selected all of the items to be included
in your search, use the OK button to save your selections and close the dialog.
The following information is displayed for each item in the dialog:
Name
This column displays the name of the item that has an audited event associated with it in
the repository database.
Display Name
This column lists the display name of the item (if the displayName attribute is set for the
object).
Type
This column displays the type of item: User, Computer or Group.
Audit Events
This column displays the number of audited events associated with each item listed.
Searches and Alerts
98
ChangeAuditor
Use the buttons on this dialog as described below:
Add
Use the Add button to add an item to the selection list box. Select/highlight one or more
items from the list box located at the top of the dialog and use the Add button to add the
item(s) to the selection list box, located at the bottom of the dialog.
Remove
Use the Remove button to remove a previously selected item. Select/highlight the item to
be removed from the selection list box and use the Remove button.
Search Properties - What Tab Dialogs
Depending on the Add tool bar option (Add or Add With Events) selected on the What search
properties tab, an additional dialog will be displayed from which you can select the ‘what’ to be
included in the selected search criteria.
Add Facilities or Event Classes Dialog
The Add Facilities or Event Classes dialog is displayed when the Add or Add With Events tool
bar button (or Add | Event Class or Add With Events | Event Class option) is selected on the
What search properties tab. This dialog allows you to search for individual event class(es) or
all events associated with a facility. From this dialog, select/highlight an event and use one of
the Add options to add the event class or facility to the list box located across the bottom of the
dialog. Once you have made your selection(s), use the OK button to save your selection and
close the dialog.
Searches and Alerts
ChangeAuditor
99
The following information/controls are included on this dialog:
Data Grid
The data grid across the top of this dialog displays the following information:
Facility
This column lists the facility associated with each ChangeAuditor event.
Event Class
This column displays the event class for each ChangeAuditor event.
Audit Events
This column displays the number of audited events already in the ChangeAuditor
database for each event class listed. This column is only displayed when this dialog is
accessed using the Add With Events option.
Restriction
When applicable, depending on the event class entry selected, an additional Restriction
pane will be displayed allowing you to specify 'from' and/or 'to' value restrictions. Select
(check) the appropriate check box(es) and enter the value(s) to define restrictions. Some
examples of restrictions are:
•
Where the previous value changed from
•
Where the value changed to
•
Where the previous value contains the following text
•
Where the new value contains the following text
•
Where the previous value changed from a number that was <Less Than | Greater
Than | Equal To | Not Equal To> nn
•
Where the new value changed to a number that is <Less Than | Greater Than |
Equal To | Not Equal To> nn
Add | Add This Event Class
Click the Add button and select the Add This Event Class option to add the selected event
class to the Facility/Event Class list box.
Add | Add All Events in Facility
Click the Add button and select the Add All Events in Facility option to include all the
event classes in the selected facility.
Remove
Use the Remove button to remove the selected item from the Facility/Event Class list box.
Modify Restriction
Use the Modify Restriction button to make changes to the restrictions associated with the
selected item. This button is only available when an entry with a defined restriction is
selected in the selection list box.
Facility/Event Class List Box
This list box displays the facility/event class(es) to be included in the search (or excluded
from the search if the Exclude the Above Selection(s) option is checked).
Searches and Alerts
100
ChangeAuditor
Use the check boxes at the bottom of the dialog as described below:
Exclude the Above Selection(s)
Select (check) this check box to exclude the items listed in the selection list box. When this
check box is checked, ChangeAuditor will search for all event class(es) and/or facilities
except for those listed.
Runtime Prompt
Select (check) the Runtime Prompt option to prompt for the facility or event class criteria
whenever the search is run. That is, when the Run tool bar button is selected, the Add
Facilities or Event Classes dialog will be displayed allowing you to select the facility or event
class to be included in the search.
NOTE: When the Runtime Prompt is selected (checked), the Event Class option will be
disabled on Add tool bar buttons the What tab.
Add Active Directory Container Dialog
The Add Active Directory Container dialog is displayed when the Add | Subsystem | Active
Directory and Add With Events | Subsystem | Active Directory tool bar button is selected
on the What search properties tab. From this dialog, select the Active Directory object(s) and
the action(s) to be included in the search definition.
Searches and Alerts
ChangeAuditor
101
The following information/controls are included on this dialog:
Scope
Select one of the following options to define the scope of coverage:
•
All Active Directory Objects - select this option to include all objects. (Default
when the Add tool bar button is used).
•
This Object - select this option to include the selected object(s) only. (Default when
the Add With Events tool bar button is used).
•
This Object and Child Objects Only- select this option to include the selected
object(s) and its direct child objects.
•
This Object and All Child Objects - select this option to include the selected
object(s) and all subordinate objects (in all levels).
Actions
The actions check boxes allow you to define what types of actions to the selected object
are to generate an audited event. By default, All Actions is selected (checked) meaning
that all of the activity associated with the object will generate an audited event. However,
you can deselect the All Actions option and select (check) individual options to include
specific actions in your search definition. The options available are:
•
All Actions - select this option to include when any of the following actions occur
(Default)
•
Add Attribute - select this option to include when an attribute is added
•
Delete Attribute - select this option to include when an attribute is deleted
•
Modify Attribute - select this option to include when an attribute is modified
•
Rename Object - select this option to include when an object is renamed
•
Add Object - select this option to include when an object is added
•
Delete Object - select this option to include when an object is deleted
•
Move Object - select this option to include when an object is moved
Object Picker
If you have selected a scope other than All Active Directory Objects, the object picker will
be activated allowing you to select the object(s) to be included in the search definition. Use
either the Browse or Search page to search your environment to locate and select the
Active Directory object(s) to be included. Use the Options page to view or modify the search
options or global catalog to be used to retrieve directory objects. These pages are only
displayed when this dialog is accessed using the Add | Subsystem | Active Directory
option.
See Using the Object Picker on page 38 for a description of the Browse, Search and
Options pages.
Data Grid
The data grid replaces the object picker when the Add With Events | Subsystem | Active
Directory option is selected. This grid displays a list of all the Active Directory objects that
have an audited event associated with it in the ChangeAuditor database.
Searches and Alerts
102
ChangeAuditor
For each object listed, the following information is displayed:
Object
This column lists the name of the Active Directory objects that have an audited event
associated with it in the repository database.
Audit Events
This column displays the number of audited events associated with each object listed.
Add
Once you locate the Active Directory object to be included, use the Add button to add the
selected object to the search definition. Selecting the Add button will add the selected
object to the Active Directory Objects list box at the bottom of this dialog.
Remove
Use the Remove button to remove the selected Active Directory object from the search
definition. From the Active Directory Objects list box, select/highlight the object to be
removed and select the Remove button to remove it from the search definition.
Modify Scope and Action(s)
Use the Modify Scope and Action(s) button to apply any changes made to the scope and
actions setting for an Active Directory object. Select/highlight an object in the list box,
modify the scope and/or actions as required, then select the Modify Scope and Action(s)
button to apply the changes made.
Searches and Alerts
ChangeAuditor
103
Active Directory Objects List Box
The list box located at the bottom of this dialog displays the Active Directory objects
selected for inclusion in the search definition. That is, only the objects listed will be
searched for changes.
Use the check boxes at the bottom of this dialog as described below:
Exclude the Above Selection(s)
Select (check) this option to exclude the selected objects from the search. When this check
box is checked, ChangeAuditor will return events generated in all Active Directory objects
except those listed in the Active Directory Objects list box.
Runtime Prompt
Select (check) the Runtime Prompt check box to prompt for the Active Directory objects
to be included whenever the search is run. That is, when the Run tool bar button is
selected, the Active Directory Container dialog will be displayed allowing you to select the
object(s) to be searched.
NOTE: When the Runtime Prompt is selected (checked), the Active Directory option
will be disabled on the Add tool bar buttons on the What tab.
Add Exchange Container Dialog
The Add Exchange Container dialog is displayed when the Add | Subsystem | Exchange and
Add With Events | Subsystem | Exchange tool bar button is selected on the What search
properties tab. From this dialog, select the Exchange object(s) and the action(s) to be included
in the search definition.
Searches and Alerts
104
ChangeAuditor
The following information/controls are included on this dialog:
Scope
Select one of the following options to define the scope of coverage:
•
All Exchange Objects - select this option to include all Exchange objects. (Default
when the Add tool bar button is used).
•
This Object - select this option to include the selected object(s) only. (Default when
the Add With Events tool bar button is used).
•
This Object and Child Objects Only- select this option to include the selected
object(s) and its direct child objects.
•
This Object and All Child Objects - select this option to include the selected
object(s) and all subordinate objects (in all levels).
Actions
The actions check boxes allow you to define what types of actions to the selected object
are to generate an audited event. By default, All Actions is selected (checked) meaning
that all of the activity associated with the object will generate an audited event. However,
you can deselect the All Actions option and select (check) individual options to include
specific actions in your search definition. The options available are:
•
All Actions - select this option to include when any of the following actions occur
(Default)
•
Add Attribute - select this option to include when an attribute is added
•
Delete Attribute - select this option to include when an attribute is deleted
•
Modify Attribute - select this option to include when an attribute is modified
•
Rename Object - select this option to include when an object is renamed
•
Add Object - select this option to include when an object is added
•
Delete Object - select this option to include when an object is deleted
•
Move Object - select this option to include when an object is moved
Object Picker
If you have selected a scope other than All Exchange Objects, the object picker will be
activated allowing you to select the objects to be included in the search definition. Use
either the Browse or Search page to search your environment to locate and select the
Exchange object(s) to be included. Use the Options page to view or modify the search
options or global catalog to be used to retrieve directory objects. These pages are only
displayed when this dialog is accessed using the Add | Subsystem | Exchange option.
See Using the Object Picker on page 38 for a description of the Browse, Search and
Options pages.
Searches and Alerts
ChangeAuditor
105
Data Grid
The data grid replaces the object picker when the Add With Events | Subsystem |
Exchange option is selected. This grid displays a list of all the Exchange objects that have
an audited event associated with it in the ChangeAuditor database.
For each object listed, the following information is displayed:
Object
This column lists the name of the Exchange objects that have an audited event
associated with it in the repository database.
Audit Events
This column displays the number of audited events associated with each object listed.
Add
Once you locate the Exchange object to be included, use the Add button to add the
selected object to the search definition. Selecting the Add button will add the selected
object to the Exchange Objects list box at the bottom of this dialog.
Remove
Use the Remove button to remove the selected object from the search definition. From the
Exchange Objects list box, select/highlight the object to be removed and select the
Remove button to remove it from the search definition.
Searches and Alerts
106
ChangeAuditor
Modify Scope and Action(s)
Use the Modify Scope and Action(s) button to apply any changes made to the scope and
actions setting for an Exchange object. Select/highlight an object in the list box, modify the
scope and/or actions as required, then select the Modify Scope and Action(s) button to
apply the changes made.
Exchange Objects List Box
The list box located at the bottom of this dialog displays the Exchange objects selected for
inclusion in the search definition. That is, only the objects listed will be searched for
changes.
Use the check boxes at the bottom of this dialog as described below:
Exclude the Above Selection(s)
Select (check) this option to exclude the selected objects from the search. When this check
box is checked, ChangeAuditor will return events generated in all Exchange objects except
those listed in the Exchange Objects list box.
Runtime Prompt
Select (check) the Runtime Prompt check box to prompt for the Exchange objects to be
included whenever the search is run. That is, when the Run tool bar button is selected, the
Add Exchange Container dialog will be displayed allowing you to select the container(s) to
be searched.
NOTE: When the Runtime Prompt is selected (checked), the Exchange option will be
disabled on the Add tool bar buttons on the What tab.
Add ChangeAuditor Events Dialog
The Add ChangeAuditor Events dialog is displayed when the Add | Subsystem |
ChangeAuditor Event or Add With Events | Subsystem | ChangeAuditor Event button is
selected on the What search properties tab. This dialog allows you to search for specific
ChangeAuditor events. From this dialog, select/highlight a ChangeAuditor event and use the
Add button to add it to the list box located across the bottom of the dialog. Once you have made
your selection(s), use the OK button to save your selection and close the dialog.
Searches and Alerts
ChangeAuditor
107
The following information/controls are included on this dialog:
ChangeAuditor Event
This column lists the ChangeAuditor events that can be included in the search. When the
Add With Events option is used, this list consists of ChangeAuditor events that already
have an audited event in the repository database.
Audit Events
This column displays the number of audited events associated with each ChangeAuditor
event listed. This column is only displayed when the Add With Events option is used.
Add/Remove Buttons
Use the Add button to add the selected ChangeAuditor event to the Events list box located
across the bottom of the dialog. Use the Remove button to remove the selected
ChangeAuditor event from the Events list box.
Events List Box
The list box located across the bottom of the dialog lists the ChangeAuditor events selected
for inclusion in the search definition.
Use the check boxes at the bottom of this dialog as described below:
Exclude the Above Selection(s)
Select (check) this check box to exclude the ChangeAuditor events listed in the Events list
box. When this check box is checked, ChangeAuditor will search for all ChangeAuditor
events except for those listed in the Events list box.
Searches and Alerts
108
ChangeAuditor
Runtime Prompt
Select (check) the Runtime Prompt option to prompt for the ChangeAuditor event
whenever the search is run. That is, when the Run tool bar button is selected, the Add
ChangeAuditor Events dialog will be displayed allowing you to select the ChangeAuditor
event(s) to be included in the search.
NOTE: When the Runtime Prompt option is selected (checked), the ChangeAuditor
Event option will be disabled on the Add tool bar buttons on the What tab.
Add Computer Events Dialog
The Add Computer Events dialog is displayed when the Add | Subsystem | Computer Event
or Add With Events | Subsystem | Computer Event button is selected on the What search
properties tab. This dialog allows you to search for specific computer events. From this dialog,
select/highlight a computer event and use the Add button to add it to the list box located across
the bottom of the dialog. Once you have made your selection(s), use the OK button to save your
selection and close the dialog.
The following information/controls are included on this dialog:
Computer Event
This column lists the computer events that can be included in the search. When the Add
With Events option is used, this list contains computer events that have an audited event
in the ChangeAuditor database.
Searches and Alerts
ChangeAuditor
109
Audit Events
This column displays the number of audited events associated with each computer event
listed. This column is only available when the Add With Events option is used.
Add/Remove Buttons
Use the Add button to add the selected computer event to the Computer Event list box
located across the bottom of the dialog. Use the Remove button to remove the selected
computer event from the Computer Event list box.
Computer Event List Box
The list box across the bottom of the dialog lists the computer events selected for inclusion
in the search definition.
Use the check boxes at the bottom of this dialog as described below:
Exclude the Above Selection(s)
Select (check) this check box to exclude the computer events listed in the Computer Event
list box. When this check box is checked, ChangeAuditor will search for all computer events
except for those listed in the Computer Event list box.
Runtime Prompt
Select (check) the Runtime Prompt option to prompt for the computer event whenever the
search is run. That is, when the Run tool bar button is selected, the Add Computer Events
dialog will be displayed allowing you to select the computer event(s) to be included in the
search.
NOTE: When the Runtime Prompt is selected (checked), the Computer Event option
will be disabled on the Add tool bar buttons on the What tab.
Add File System Path Dialog
The Add File System Path dialog is displayed when either the Add | Subsystem | File System
or the Add With Events | Subsystem | File System tool bar button is selected on the What
search properties tab. This tab allows you to select the path to be used to search for file system
events.
Searches and Alerts
110
ChangeAuditor
Scope
Select one of the following options to define the scope of coverage:
•
All File System Paths - select this option to include all file system paths. (Default
when the Add tool bar button is used).
•
This Object - select this option to include a specific object(s) only. (Default when
the Add with Events tool bar button is used).
•
This Object and Child Objects Only - select this option to include the selected
object(s) and its direct child objects.
•
This Object and All Child Objects - select this option to include the selected
object(s) and all subordinate objects (in all levels).
Actions
By default, All Actions is selected (checked) meaning that all of the actions associated with
the file system path will be included in the search. However, you can deselect the All
Actions option and select (check) individual actions to be included in the search.
The actions available are:
•
All Actions - select this option to include all File System activities. (Checked by
default)
•
Add - select this option to include when a File System folder or file is added
•
Delete - select this option to include when a File System folder or file is deleted
•
Move - select this option to include when a File System folder or file is moved
•
Rename - select this option to include when a File System folder or file is renamed
•
Modify - select this option to include when a File System folder or file is modified
•
Other - select this option to include when any other type of activity occurs on a File
System folder or file
When any of the options, other than the All File System Paths option is selected in the Scope
section, the following controls will become available to select the file system path to be included
in the search.
File System Path Type
Select the file system path type(s) to be included in the search definition. When any scope
other than This Object is selected, All Types is checked, meaning that all types of file
system paths will be included. However, you can deselect the All Types check box and
select (check) individual types. The file types available are:
•
All Types - select this option to search all of the file system path types listed. (This
option is not available for This Object.)
•
File - select this option to search only files. (Selected by default when the This
Object scope is selected.)
•
Folder - select this option to search only folders.
Searches and Alerts
ChangeAuditor
111
Path
If you have selected a scope other than All File System Paths, use this field to specify the
file or folder path to be searched.
NOTE: When using the Add With Events tool bar button, the Path field is populated
based on the entry selected in the data grid and is read only. The browse button
is also disabled.
Enter a file or folder or click on the browse button and select the file or folder to be searched:
•
When All Types or Folder is selected in the File System Path Type section,
selecting the browse button will launch the Browse for Folder dialog where you can
locate and select the local folder to be included in the search definition.
NOTE: When entering a folder in the Path field, place a backward slash ( \ ) at the end
of the path or ChangeAuditor will treat the entry as a file instead of a folder.
•
When File is selected in the File System Path Type section, selecting the browse
button will launch the Browse for Folder dialog (or native Open dialog when This
Object is selected) where you can locate and select the local file(s) to be included
in the search definition.
After selecting the folder and/or file to be included, use the Add button to add it to the File
System Path list box.
Add
Use the Add button to add a file or folder to the File System Path list box.
Remove
Use the Remove button to remove an entry from the File System Path list box. Select/
highlight the entry to be removed and select the Remove button.
Modify
Use the Modify button to modify the selected entry. Select/highlight the entry to be modified
in the list box, make the changes to the Actions or the File System Path and then select the
Modify button. The changes made will be displayed in the list box.
File System Path List box
This list box displays the File System files or folders to be included in the search definition
(or excluded if the Exclude the Above Selection(s) option is checked).
Data Grid
The data grid will be added to this dialog when the Add With Events | Subsystem | File
System option is selected. This grid displays a list of all the File System objects that have
an audited event associated with it in the ChangeAuditor database.
Searches and Alerts
112
ChangeAuditor
For each object listed, the following information is displayed:
Folder Path
This column lists the name of the File System objects that have an audited event
associated with it in ChangeAuditor database.
Audit Events
This column displays the number of audited events associated with each object listed.
Select an entry in the data grid and use the Add button to add it to the File System Path list
box.
Use the check boxes at the bottom of the dialog as described below:
Exclude the Above Selection(s)
Select (check) this option to specify that the files and folders listed are to be excluded from
the search. When this check box is checked, ChangeAuditor will search all File System files
or folders except those listed.
Runtime Prompt
Select (check) the Runtime Prompt check box to prompt for the file system path whenever
the search is run. That is, when the Run tool bar button is selected, the Add File System
Path dialog will be displayed allowing you to enter the file system path to be searched.
NOTE: When the Runtime Prompt is selected (checked), the File System option will
be disabled on the Add tool bar buttons on the What tab.
Searches and Alerts
ChangeAuditor
113
Add Group Policy Container Dialog
The Add Group Policy Container dialog is displayed when either the Add | Subsystem | Group
Policy or Add With Events | Subsystem | Group Policy tool bar button is selected on the
What search properties tab. From this dialog, select the Group Policy object(s) to be searched.
From this dialog, select/highlight a Group Policy object and use the Add button to add it to the
list box, located across the bottom of the dialog. Once you have made your selection(s), use
the OK button to save your selection and close the dialog.
The following information/controls are included on this dialog:
Scope
Select one of the following options to define the scope of coverage:
•
All Objects - select this option to include all objects (Default)
•
This Object - select this option to include the selected object only
Object Picker
When the This Object option is selected, use either the Browse or Search page to search
your environment to locate and select the Group Policy object(s) to be included in the
search. Use the Options page to view or modify the search options or global catalog to be
used to retrieve directory objects. These pages are only displayed when this dialog is
accessed using the Add | Subsystem | Group Policy tool bar button.
See Using the Object Picker on page 38 for a description of the Browse and Search pages.
Please note that the Find field on this dialog will display GroupPolicyContainer and
cannot be changed.
Searches and Alerts
114
ChangeAuditor
Data Grid
The data grid replaces the object picker when the Add With Events | Subsystem | Group
Policy option is selected. This grid displays a list of all the Group Policy objects that have
an audited event associated with it in the ChangeAuditor database.
For each object listed, the following information is displayed:
Policy Name
This column lists the name of the Group Policy objects that have an audited event
associated with it in the repository database.
Audit Events
This column displays the number of audited events associated with each object listed.
Add
Use the Add button to add the selected object to the search definition. Selecting the Add
button will add the selected object to the Objects list box at the bottom of this dialog.
Remove
Use the Remove button to remove the selected Group Policy object from the search
definition. From the Objects list box, select/highlight the object to be removed and select
the Remove button to remove it.
Objects List Box
The list box located at the bottom of this dialog, displays the Group Policy objects selected
for inclusion in the search definition. That is, only the objects listed will be searched for
changes (or excluded from the search if the Exclude the Above Selection(s) is selected).
Searches and Alerts
ChangeAuditor
115
Use the check boxes at the bottom of this dialog as described below:
Exclude the Above Selection(s)
Select (check) this option to exclude the selected objects from the search definition. When
this check box is checked, ChangeAuditor will search all Group Policy objects except those
listed.
Runtime Prompt
Select (check) the Runtime Prompt check box to prompt for the Group Policy object(s) to
be included whenever the search is run. That is, when the Run tool bar button is selected,
the Add Group Policy Container dialog will be displayed allowing you to select the object(s)
to be searched.
NOTE: When the Runtime Prompt is selected (checked), the Group Policy option will be
disabled on the Add tool bar buttons on the What tab.
Add Local Account Dialog
The Add Local Account dialog is displayed when either the Add | Subsystem | Local Account
or the Add With Events | Subsystem | Local Account tool bar button is selected on the What
search properties tab. This dialog allows you to search for events generated by either a local
user or group account. From this dialog, select/highlight an account and use the Add button to
add it to the list box located across the bottom of the dialog. Once you have made your
selection(s), use the OK button to save your selection and close the dialog.
Searches and Alerts
116
ChangeAuditor
This dialog contains the following information/controls:
Scope
Select one of the following options to define the scope of coverage:
•
All Objects - select this option to include all objects. (Default when using the Add
tool bar button).
•
This Object - select this option to include individual object(s). (Default when using
the Add With Events tool bar button.)
Data Grid
The data grid displays a list of all the users and groups in local SAM databases on the
selected Member Server (or the local accounts that have an audited event associated with
it in the repository database). When the This Object option is selected in the Scope
section, the data grid and buttons will be enabled to select the individual object(s) to be
included in the search. For each account listed, the following information is displayed:
Principal Type
This column displays the type of account: User or Group.
Principal Name
This column displays the name of each local user and group account.
Audit Events
This column displays the number of audited events associated with the local accounts
listed. This information is only available when this dialog is accessed using the Add
With Events | Subsystem | Local Account tool bar button.
Path
This field will display the principal name of the object selected in the data grid. To select a
local account on a different computer, use the Browse button to the far right to display the
Select a Directory Object dialog to select another computer. The local user or group
accounts available on the specified computer will then be displayed in the data grid.
NOTE: When using the Add With Events tool bar button, the Path field and browse
button are not available.
Add
Use the Add button to add the account selected in the data grid to the Account list box,
located across the bottom of the dialog.
Remove
Use the Remove button to remove an entry from the Account list box. Select/highlight the
entry to be removed and select the Remove button.
Modify
Use the Modify button to modify the entry selected in the Account list box. Select/highlight
the entry to be modified, select a different account from the data grid and select the Modify
button.
Searches and Alerts
ChangeAuditor
117
Account List box
This list box displays the local user and/or group account(s) to be included in the search (or
excluded from the search if the Exclude the Above Selection(s) option is checked).
Use the check boxes at the bottom of this dialog as described below:
Exclude the Above Selection(s)
Select (check) this option to specify the local accounts that are to be excluded from the
search. When this check box is checked, ChangeAuditor will return events generated in all
local accounts except those listed.
Runtime Prompt
Select (check) the Runtime Prompt check box to prompt for a local account whenever the
search is run. That is, whenever the Run tool bar button is selected, the Add Local Account
dialog will be displayed allowing you to select the local user or group account to be used.
NOTE: When the Runtime Prompt is selected (checked), the Local Account option
will be disabled on Add tool bar buttons the What tab.
Add Registry Key Dialog
The Add Registry Key dialog is displayed when the Add | Subsystem | Registry or Add With
Events | Subsystem | Registry tool bar button is selected on the What search properties tab.
This dialog allows you to search for changes to a specific System Registry key. From this
dialog, select/highlight a registry key and use the Add button to add it to the list box located
across the bottom of the dialog. Once you have made your selection(s), use the OK button to
save your selection and close the dialog.
Searches and Alerts
118
ChangeAuditor
The following information/controls are included on this dialog:
Scope
Select one of the following options to define which system registry keys are to be included
in your search definition.
•
All Registry Keys - select this option to include all registry keys in your search
definition. (Default when using the Add tool bar button.)
•
This Object - select this option to include only the selected object(s). (Default when
using the Add With Events tool bar button.)
•
This Object and Child Objects Only - select this option to include the selected
object(s) and its direct child objects.
•
This Object and All Child Objects - select this option to include the selected
object(s) and all subordinate objects (in all levels).
Actions
By default, All Actions is selected (checked) meaning that all of the registry actions listed
will be included in your search definition. However, you can deselect the All Actions option
and select (check) individual actions for auditing. Select/check one or more of the following
actions:
•
All Actions - select this option to include all of the actions. When this option is
selected, all of the other options are disabled. (Default)
•
Add Value - select this option to include when a new value is added to the selected
registry key.
•
Delete Value - select this option to include when a registry key value is removed.
•
Modify Value - select this option to include when a registry key value is modified.
•
Add Key - select this option to include when a new registry key is added.
•
Delete Key - select this option to include when a registry key is removed.
Registry Key Hierarchy
This is a hierarchical view of the registry containers for the computer to which you are
currently connected. Depending on the Scope option selected, the registry key hierarchy
will either be disabled (All Registry Keys) or enabled allowing you to locate and select a
registry key.
Data Grid
The data grid replaces the Registry Key Hierarchy pane when the Add With Events |
Subsystem | Registry option is selected. The data grid displays a list of all the registry
keys that have an audited event associated with it in the repository database.
Searches and Alerts
ChangeAuditor
119
For each registry key listed, the following information is displayed:
Registry Key
This column lists the registry keys that have an audited event associated with it in the
repository database.
Audit Events
This column displays the number of audited events associated with each registry key
listed.
Add
Select a registry key (or container) from the hierarchy view and use the Add button to add
this key to the Registry Key list box at the bottom of the dialog.
Remove
Select a registry entry from the Registry Key list box and use the Remove button to remove
it from this list box and from the search definition.
Modify
Select a registry entry from the Registry Key list box and use the Modify button to modify
the scope and/or actions previously associated with the selected registry entry.
Searches and Alerts
120
ChangeAuditor
Path
This field displays the path which is built when you use the hierarchy view to locate a
registry key. To select a registry key from a different computer, use the Browse button to
the right of this field to locate and select the computer to be used. The system registry keys
associated with the specified computer will then be displayed in the hierarchy view.
NOTE: Make sure that the selected computer is on the network and has remote
administration enabled. If the selected remote computer does not allow remote
admin access, a message will be displayed explaining that you need to select a
different server.
NOTE: The Path field is read-only and the Browse button is disabled when this dialog
is accessed using the Add with Events tool bar button.
Registry Key list box
This list box displays the registry key(s) to be included in the search (or excluded from the
search if the Exclude the Above Selection(s) option is checked).
Use the check boxes at the bottom of this dialog as described below:
Exclude the Above Selection(s)
Select (check) this option to exclude the registry keys in the selection list box. When this
check box is checked, ChangeAuditor will search for change events in all registry keys
except those listed.
Runtime Prompt
Select (check) the Runtime Prompt check box to prompt for a registry key whenever the
search is run. That is, when the Run tool bar button is selected, the Add Registry Key dialog
will be displayed allowing you to select the registry key to be searched.
NOTE: When the Runtime Prompt is selected (checked), the Registry option will be
disabled on the Add tool bar buttons on the What tab.
Add Services Dialog
The Add Services dialog is displayed after you have selected a computer from the Select a
Directory Object dialog when the Add | Subsystem | Service or Add With Events |
Subsystem | Service button is selected on the What search properties tab.
NOTE: Make sure that the selected computer is on the network and has remote
administration enabled. If the selected remote computer does not allow remote admin
access, a message will be displayed explaining that you need to select a different
server.
This dialog allows you to search for events generated by a specific service. From this dialog,
select/highlight a service and use the Add button to add it to the list box located across the
bottom of the dialog. Once you have made your selection(s), use the OK button to save your
selection and close the dialog.
Searches and Alerts
ChangeAuditor
121
The following information/controls are included on this dialog:
Display Name
This column lists the display name for all the services listed.
Service Name
This column lists the service name for all of the services running on the computer selected
back on the Select a Directory Object dialog.
Description
This column provides a brief description for each of the services listed. This column is only
available when this dialog is accessed using the Add | Subsystem | Service tool bar
button.
Audit Events
This column displays the number of audited events associated with each service listed.
This information replaces the Description column and is only available when this dialog is
accessed using the Add With Events | Subsystem | Service tool bar button.
Add/Remove buttons
Use the Add button to add the selected service to the Service list box, located across the
bottom of the dialog. Use the Remove button to remove the selected service from the
Service list box.
Searches and Alerts
122
ChangeAuditor
Service List Box
This list box displays the name of the service(s) to be included in the search definition (or
excluded when the Exclude the Above Selection(s) check box is checked).
Use the check boxes at the bottom of this dialog as described below:
Exclude the Above Selection(s)
Select (check) this check box to exclude the services listed in the selection list box. When
this check box is checked, ChangeAuditor will search for change events to all services
except those listed.
Runtime Prompt
Select (check) the Runtime Prompt option to prompt for the service whenever the search
is run. That is, when the Run tool bar button is selected, the Add Services dialog will be
displayed allowing you to select the service to be used.
NOTE: When the Runtime Prompt is selected (checked), the Services option will be
disabled on the Add tool bar buttons on the What tab.
Add SQL Instance Dialog
The Add SQL Instance dialog is displayed when either the Add | Subsystem | SQL or the Add
With Events | Subsystem | SQL tool bar button is selected on the What search properties tab.
This dialog allows you to define a search for actions that have occurred in all SQL instances
being audited or to a selected instance, database and/or object.
NOTE: SQL auditing is only available if you have licensed the ChangeAuditor for SQL add-on
module and you have applied the custom SQL Server Auditing templates that define
the SQL instances to be audited.
Searches and Alerts
ChangeAuditor
123
The following information/controls are included on this dialog:
Scope
Select one of the following options to define the scope of the search:
• All SQL Instances - select this option to search all SQL instances. (Default when using
the Add tool bar button.)
• This Object - select this option to search specific SQL instances, databases and/or
objects only. (Default when using the Add With Events tool bar button.)
When the This Object option is selected, the following controls will become available to specify
the SQL instance, SQL database and/or SQL Server object to be included in the search
definition. When you select This Object, you MUST fill in at least one of the following fields.
After specifying the SQL instance, database and/or object, use the Add button to add it to the
SQL list box.
Instance
Enter the name of the SQL instance or use the Browse button to the far right to select
from a list. Selecting the browse button will display the Select a SQL Instance and
Database dialog which provides a list of SQL instances and associated databases from
which you can select the instance and database to be used. If you leave this field blank,
ChangeAuditor will search for SQL events based on the entries made in the DB and/or
Object fields for all audited SQL instances.
DB
Enter the name of the SQL database to be used or use the Browse button to the far
right to select from a list. Selecting the browse button will display the Select a SQL
Instance and Database dialog which provides a list of SQL instances and associated
databases from which you can select the instance and database to be used. If you
leave this field blank, ChangeAuditor will search for SQL events based on the entries
made in the Instance and/or Object fields for all audited SQL databases.
Object
Enter a SQL Server object to be included in the search definition. If you leave this field
blank, ChangeAuditor will search for SQL events based on the entries made in the
Instance and/or DB fields for all audited SQL Server objects.
Add
Use the Add button to add the specified SQL instance, database and/or object to the list
box at the bottom of the dialog.
Remove
Use the Remove button to remove an entry from the SQL list box. Select an entry from the
SQL list box and use the Remove button to remove it from this list box and from the search
definition.
Searches and Alerts
124
ChangeAuditor
Modify
Use the Modify button to change an entry in the SQL list box. Select/highlight the entry to
be modified from the SQL list box, make the modification(s) to the SQL instance, database
and/or object, then select the Modify button. The changes made will then be displayed in
the list box.
SQL List Box
This list box displays a list of the SQL instance(s), database(s) and/or object(s) to be
included in the search definition (or excluded when the Exclude the Above Selection(s)
check box is checked). Its contents are based on the entries specified above, when using
the This Object scope.
•
Instance - If an instance is specified above, this column displays the name of the
SQL instance to be included in the search definition.
•
Database - If a database is specified above, this column displays the name of the
database to be included in the selected search definition.
•
SQL Object - If an object is entered above, this column displays the SQL object
that was specified.
Data Grid
A data grid will be added to this dialog when the Add With Events tool bar option is
selected. This data grid displays a list of the SQL instances, databases and objects that
have an audited event in the ChangeAuditor repository database.
Searches and Alerts
ChangeAuditor
125
The following information is displayed:
Instance
This column displays the name of the SQL instance(s) that reported a SQL event in the
ChangeAuditor database.
Database
This column displays the name of the database(s) that reported a SQL event in the
ChangeAuditor database.
SQL Object
This column displays the name of the SQL Server object(s) that reported a SQL event
in the ChangeAuditor database.
Audit Events
This column displays the number of audited events associated with each entry listed.
This column may contain event counts for events that occurred in the following:
• a SQL instance that does not have a database or object associated with it (both
the Database and SQL Object columns are blank)
• a SQL instance and its associated databases that do not have an object
associated with it (SQL Object column is blank)
• a SQL instance, its associated databases and SQL Server objects
Select an entry in the data grid and select the Add button to add it to the SQL list box.
Use the check boxes at the bottom of this dialog as described below:
Exclude the Above Selection(s)
Select (check) this check box to specify that the SQL instance(s) listed are to be excluded
from the search. When this check box is checked, ChangeAuditor will search for events in
all audited SQL instances, except those listed.
Runtime Prompt
Select (check) the Runtime Prompt option to prompt for the SQL instance whenever the
search is run. That is, when the Run tool bar button is selected, the Add SQL Instance
dialog will be displayed allowing you to select the SQL instance, database and/or object to
be searched for audited events.
NOTE: When the Runtime Prompt is selected (checked), the SQL option will be
disabled on the Add tool bar buttons on the What tab.
Searches and Alerts
126
ChangeAuditor
Add Object Classes Dialog
The Add Object Classes dialog is displayed when either the Add | Object Class or Add With
Events | Object Class button is selected on the What search properties tab. This dialog allows
you to search for changes made to a specific object class (a.k.a. classSchema object). From
this dialog, select/highlight an object class and use the Add button to add it to the list box
located across the bottom of the dialog. Once you have made your selection(s), use the OK
button to save your selection and close the dialog.
The following information/controls are included on this dialog:
Object Class
This column lists the object classes defined and available for inclusion.
Audit Events
This column displays the number of audited events associated with each of the object
classes listed. This column is only displayed when this dialog is accessed using the Add
With Events | Object Class option.
Add/Remove buttons
Use the Add button to add the selected item to the Object Classes list box, located across
the bottom of the dialog. Use the Remove button to remove the selected item from the
Object Classes list box.
Searches and Alerts
ChangeAuditor
127
Object Classes List Box
This list box displays the object classes to be included in the search definition (or excluded
if the Exclude the Above Selection(s) check box is checked).
Use the check boxes at the bottom of this dialog as described below:
Exclude the Above Selection(s)
Select (check) this check box to exclude the items listed in the Object Classes list box.
When this check box is checked, ChangeAuditor will search for change events to all object
classes except those associated with the object class(es) listed.
Runtime Prompt
Select (check) the Runtime Prompt option to prompt for the object class whenever the
search is run. That is, when the Run tool bar button is selected, the Add Object Class dialog
will be displayed allowing you to select the object class to be included in the search.
NOTE: When the Runtime Prompt is selected (checked), the Object Class option will
be disabled on the Add tool bar buttons on the What tab.
Add Severities Dialog
The Add Severities dialog is displayed when either the Add | Severity or Add With Events |
Severity button is selected on the What search properties tab. This dialog allows you to search
for events based on the severity (High, Medium or Low) assigned to audited events. From this
dialog, select/highlight a severity and use the Add button to add it to the list box located across
the bottom of the dialog. Once you have made your selection(s), use the OK button to save your
selection and close the dialog.
Searches and Alerts
128
ChangeAuditor
The following information/controls are included on this dialog:
Severity
This column lists the severity levels that can be assigned to audited events.
Audit Events
This column displays the number of audited events associated with each of the severity
levels listed. This column is only displayed when this dialog is accessed using the Add
With Events button.
Add/Remove buttons
Use the Add button to add the selected item to the Severities list box, located across the
bottom of the dialog. Use the Remove button to remove the selected item from the
Severities list box.
Severities List Box
This list box displays the severities to be included in the search definition (or excluded if the
Exclude the Above Selection(s) check box is checked).
Use the check boxes at the bottom of this dialog as described below:
Exclude the Above Selection(s)
Select (check) this check box to exclude the items listed in the Severities list box. When this
check box is checked, ChangeAuditor will return details for all audited events except those
assigned a severity level which is listed.
Runtime Prompt
Select (check) the Runtime Prompt option to prompt for the severity criteria whenever the
search is run. That is, when the Run tool bar button is selected, the Add Severities dialog
will be displayed allowing you to select the severity criteria to be included in the search.
NOTE: When the Runtime Prompt is selected (checked), the Severity option will be
disabled on the Add tool bar buttons on the What tab.
Searches and Alerts
ChangeAuditor
129
Search Properties - Where Tab Dialogs
Depending on the Add tool bar button (Add or Add With Events) selected on the Where
search properties tab, one of two dialogs will be displayed from which you can select the site(s),
domain(s) and/or individual agent(s) to be included in the selected search criteria.
Select One or More Directory Objects Dialog
The Select One or More Directory Objects dialog is displayed when the Add button is selected
on the Where search properties tabs. From this dialog, use either the Browse or Search page
to search your environment to locate and select the site(s), domain(s) or individual agent(s) to
be included in the selected search definition. Use the Options page to view or modify various
search options or the global catalog used to retrieve directory objects.
Please refer to Select One or More Directory Objects Dialog on page 96 for a description of this
dialog. However, please note that the Find field will contain Domain, Computer, Site when this
dialog is accessed through the Where tab.
Searches and Alerts
130
ChangeAuditor
Add Agents, Domains, Sites Dialog
The Add Agents, Domains, Sites dialog is displayed when you select the Add With Events tool
bar button on the Where search properties tab. This dialog contains a list of all the agents,
domains and sites that have an audited event associated with it in the repository database. To
select an item from this list, select/highlight one or more items from the list box located at the
top of the dialog and use the Add button to add the item(s) to the selection list box located at
the bottom of the dialog. Once you have selected all of the items to be included in your search,
use the OK button to save your selections and close the dialog.
The following information is displayed for each item displayed in this dialog:
Name
This column displays the name of the item that has an audited event associated with it in
the repository database.
Type
This column displays the type of item: Agent, Domain or Site.
Audit Events
This column displays the number of audited events associated with each item listed.
Searches and Alerts
ChangeAuditor
131
Use the buttons on this dialog as described below:
Add
Use the Add button to add an item to the selection list box. Select/highlight an item from
the list box located at the top of the dialog and select the Add button to add it to the
selection list box.
Remove
Use the Remove button to remove a previously selected item. Select/highlight the item to
be removed from the selection list box and select the Remove button.
Search Properties - Alert Tab Dialogs
From the Alert search properties tab, use the Alert Custom Email dialog to customize the email
alert to be sent for the selected search.
Alert Custom Email Dialog
The Alert Custom Email dialog is displayed whenever you enable an alert or when the
Configure Email button is selected on the Alert tab in the Search Properties view. From this
dialog, you can define a custom alert email for the selected search. That is, for the selected
alert, the settings defined in this dialog will overwrite the global settings.
This dialog contains the following information/controls:
To
Enter the address(es) where alert emails for the selected search definition are to be sent.
Separate multiple addresses with a comma.
Reply To
This field contains the Reply To address specified on the Repository Configuration page.
To change this address, place your cursor in this field and enter a different address where
replies to alert emails for the selected search definition are to be sent. Separate multiple
addresses with a comma.
Subject Line
Enter a customized subject line for the selected search definition to replace the default text
in the subject line. The default subject line contains the following information:
ChangeAuditor %Alert_Type% from %Alert_Repository_Name% %Alert_Name%
Searches and Alerts
132
ChangeAuditor
Where:
%Alert_Type% is either ‘Alert’ or ‘Smart Alert’
%Alert_Repository_Name% is the name of the repository generating the alert
%Alert_Name% is the name of the alert that fired
Select the button to the far right of the Subject Line to change the variables used in the
subject line or to reset it back to the default content.
Insert Variable
Expand the Insert Variable option to insert a variable into the subject line. Only one
variable can be added at a time. Variables that can be added to the subject line include:
• ALERT_NAME
• ALERT_TYPE
• ALERT_REPOSITORY_DOMAIN
• ALERT_REPOSITORY_NAME
• BATCH_ID
• EVENT_COUNT
• SMART_ALERT
• SMART_ALERT_GROUPING
• SMART_ALERT_OCCURRENCE
• SMART_ALERT_PERIOD
• SMART_ALERT_PERIOD_UNIT
Restore to Default
Use the Restore to Default option to reset the subject line back to the default content.
That is, remove any variables that were inserted.
Send Plain-Text Email
Select this option to have the email notification sent in plain text format. (Default)
Send HTML Email
Select this option to have the email notification sent in HTML format.
Configure Body
Select this button to launch the Alert Body Configuration dialog where you can define the
content of the main body, the event details and the signature to be included in your alert
emails.
Refer to Alert Body Configuration Dialog on page 233 for more information on using the
Alert Body Configuration dialog to customize the content of your alert emails.
Searches and Alerts
ChangeAuditor
133
Alert History Page
The Alert History page is opened whenever the Alert | History context menu command is
selected from the Searches page.
This page consists of the following main components:
• Tool Bar
• Alert History Results Grid
Tool Bar
Use the tool bar buttons to specify what is to be displayed at the bottom of the Alert History page
and/or to print the contents of the page:
Search Properties
Select the Search Properties tool bar button to display the search properties tabs across
the bottom of the page. These tabbed pages allow you to view the criteria used in the
search associated with the alert selected in the results grid. This button is only available
when the Event Details pane is being displayed.
Event Details
Select the Event Details tool bar button to display the Event Details pane at the bottom of
the page. This pane may contain additional information about the alert selected in the
results grid. This button is only available when the Search Properties tabs are being
displayed.
Searches and Alerts
134
ChangeAuditor
Print
Use the Print button to send the alert history to the designated printer. When you select
this command, the native Print dialog will be displayed allowing you to specify various print
options.
Print | Print to File
Expand the Print button and select the Print to File command to save the alert history to
an Excel (.xls) or Comma Delimited (.csv) file. When you select this command, the native
Save As dialog will be displayed allowing you to specify the location, file name and type of
file to be created.
Print | Print Preview
Expand the Print button and select the Print Preview command to preview the alert history
prior to printing it.
Print | Page Setup
Expand the Print button and select the Page Setup command to define the page settings
for printing. Selecting this command will display the native Page Setup dialog allowing you
to define the paper, page orientation and margins.
Alert History Results Grid
The top pane on this page contains the following information for each event that triggered an
alert:
Time Alerted
This column displays the time the alert occurred.
Alert Type
This column displays the type of alert that was generated: WMI, SNMP, or SMTP.
Sent
This column indicates whether the alert was successfully sent: Yes or No.
Description
This column displays a description of the events that caused this alert to be triggered.
Error Message
This column displays an error message if the alert was not successfully sent.
Searches and Alerts
ChangeAuditor
135
Chapter 5: Search Results
Audited events are the configuration change information that is captured by the ChangeAuditor
Agent(s) and reported to a repository and then written to the database. These audited events
can be retrieved and viewed through searches made via the ChangeAuditor Client. When you
run a search, ChangeAuditor searches the audited events in the database for the desired
results. The results are then displayed in the Search Results page in the ChangeAuditor Client.
NOTE: The terms ‘searches’ and ‘reports’ are used in conjunction to acquire the desired
output. You run a ‘search’ and the results returned is a ‘report’.
Auditing and centralizing the collection of audited events is only one part of the total control and
output required for enterprise security and compliance. It is equally important to be able to
retrieve the real-time data and sort through it quickly and efficiently when it’s needed.
The Search Results Page allows you to perform the following tasks associated with
ChangeAuditor reports:
• view results
• view event details or search properties
• preview results based on changes made to a search
• compare results side-by-side
• print search results
The first part of this chapter steps you through the procedures mentioned above which can be
performed from a Search Results page. The latter part of the chapter provides a detailed
description of a Search Results Page, its components, commands that can be accessed, as
well as additional dialogs that can be accessed through this page.
Search Results
136
ChangeAuditor
Viewing Results
A new Search Results Page will be created for each search that is run.
To view the results of a search:
1. From the Searches page, run a search.
2. For each search that is run, a new search results page will automatically be created and
opened, allowing you to view the audited event records returned. Refer to Search
Results Page on page 141 for a detailed description of the Search Results page.
3. When multiple search results are active, select the heading tab at the top of a search
page to view the selected search results.
4. Use the column controls to sort, rearrange, or group the data displayed. See
Customizing Table Content on page 44 for more information on using the column
controls to customize the content of this page.
5. ChangeAuditor also provides advanced filtering options that allow you to modify the
results of a search without changing the original search. Click in the Click here to filter
data ... cell to enter the criteria to be used to filter the data displayed. See Filtering Data
on page 46 for more information on using ChangeAuditor’s filtering feature.
Displaying Results in Different Formats
When a grouping is created (i.e., a column heading is dragged up into the heading area to group
the data), three icons are added to the heading area which can be used to display the data in
a different format. The following icons/formats are available:
Data Grid
Select the data grid icon to redisplay the data in the grid format (default format).
Pie Chart
Select the pie chart icon to display a pie chart showing the correlated data. Move your
cursor over the pieces in the pie chart to display the label and number of items that make
up that piece of the pie.
NOTE: When multiple groupings are created, the pie chart only applies to the top-level
group. Also, when the search results are too numerous to chart, a message will
display stating that there are too many items to display them all.
Bar Graph
Select the bar graph icon to display a bar graph showing the correlated data. Move your
cursor over the bars in the graph to display the label and number of items that make up that
bar.
NOTE: When multiple groupings are created, the bar graph only applies to the top-level
group. Also, when the search results are too numerous to chart, a message will
display stating that there are too many items to display them all.
Search Results
ChangeAuditor
137
Viewing Event Details or Search Properties
From the Search Results page, you can view the search properties used to generate the
displayed audited events or you can access more detailed information about an audited event.
Using the tool bar buttons at the top of the Search Results page, you can easily switch between
the Search Properties and Event Details at any time.
To display Search Properties for an audited event:
1. Open a Search Results tab and select/highlight an audited event from the Search
Results grid.
2. If neither the Search Properties tabs or Event Details pane are being displayed, either
select the Search Properties tool bar button or right-click the audited event and select
the Show Properties menu command.
3. If the Event Details pane is displayed across the bottom of the page, select the Search
Properties tool bar button to display the search properties tabs.
4. Use the Hide Properties right-click command to hide the Search Properties tabs.
To display event details for an audited event:
1. Open a Search Results tab and select/highlight an audited event from the Search
Results grid.
2. If neither the Search Properties tabs or Event Details pane are being displayed, use one
of the following methods to display the event details:
• double-click the audited event entry in the results grid
• select the Event Details tool bar button
• right-click the audited event and select the Show Details menu command
3. If the Search Properties tabs are displayed across the bottom of the page, select the
Event Details tool bar button. The Event Details pane will replace the Search Properties
tabs.
4. Use the Hide Details right-click command to hide the Event Details pane.
In addition to the search properties and event details, ChangeAuditor also provides access to
an audited event knowledge base, which contains detailed descriptions for each audited event,
including information about how ChangeAuditor detected the configuration change event, what
the changed parameter controls, and the consequence of such a change. The knowledge base
entries also include links to articles or documents that offer additional information about the
audited event.
To display knowledge base entry for an event:
1. Open a Search Results tab and select an audited event from the Search Results grid.
2. Right-click the audited event and select the KnowledgeBase menu command or from
the Event Details pane, select the KnowledgeBase tool bar button.
3. This will launch your browser and display the knowledge base article for the selected
event.
Search Results
138
ChangeAuditor
NOTE: If the offline knowledge base is installed and the Actions | Use Offline
KnowledgeBase menu command is selected (checked), the local copy of the
knowledge base will be accessed; if not, the online version of the knowledge
base will be displayed. (To install the offline knowledge base, use the NetPro
ChangeAuditor Offline Knowledge Base.msi file. Please refer to the
ChangeAuditor Installation Guide for information on installing the offline
knowledge base.)
Previewing Search Results
NetPro found that customers modify a search three times on the average. Thus, the criteria
definition is now in-line with the results, which enables you to preview and modify the results
without closing and opening multiple dialogs as in the past.
To modify search properties and preview the results:
1. Open a Search Results tab and select/highlight an audited event from the Search
Results grid.
2. Either select the Search Properties tool bar button (or right-click the audited event and
select the Show Properties menu command) to display the Search Properties tabs
across the bottom of the page.
NOTE: If the Event Details pane is displayed, use the Search Properties tool bar
button to replace it with the Search Properties tabs.
3. Use these tabbed pages to modify the criteria used in the selected search.
4. After modifying the search criteria, select the Preview Changes tool bar button from
one of the tabbed pages.
5. The results of the modified search will then be displayed in the Search Results page
already being displayed.
6. Once you have achieved the desired results and you want to save the modifications
made to the search, use the Save or Save As button on one of the Search Properties
tabs.
Search Results
ChangeAuditor
139
Comparing Results Side-by-Side
ChangeAuditor now allows you to run two searches side-by-side simultaneously. When multiple
ChangeAuditor pages are open, you can split the current screen to display two or more pages
at the same time. For example, you can view multiple search results pages in the
ChangeAuditor client allowing you to compare the results against each other.
NOTE: For optimal viewing, this feature should be used in a dual monitor configuration.
To compare results side-by-side:
1. Run the searches to be compared. On the Search Results pages, we recommend that
you hide the Event Details or Search Properties tabs so that when the screen spits, you
will have more space for viewing audited events.
2. Right-click the heading tab of one of these Search Results pages and select one of the
following commands:
•
New Horizontal Tab Group - to view two or more panes down the screen.
•
New Vertical Tab Group - to view two or more panes across the screen.
3. This will split the screen (either horizontally or vertically depending on the command
selected) displaying multiple pages in the single view.
4. To move a page from one pane to another, right-click the heading tab of the page to be
moved and select the Move to Next Tab Group menu command. This will move the
selected page to the other pane displayed. To move this page back, right-click the
heading tab and select the Move to Previous Tab Group menu command.
Search Results
140
ChangeAuditor
5. To close the split screen and return to a single pane, use the Action | Reset Display
menu command.
Printing Search Results
Once ChangeAuditor captures a configuration change, it provides several flexible ways to
generate meaningful reports. ChangeAuditor’s built-in reports provide views for the most
common and complex requests and all the configuration change information returned is
displayed in the ChangeAuditor Client. From the ChangeAuditor Client, you can then print,
save, or publish the displayed results.
To print the displayed Search Results page:
1. Open the Search Results page to be printed and select the File | Print menu command
or Print tool bar button. This will print the audited event information returned as a result
of executing a search definition.
2. When this command is selected, the native Print dialog will be displayed allowing you
to specify your print options.
To preview a report prior to printing:
1. Use the File | Print Preview menu command (or expand the Print tool bar button and
select the Print Preview option).
2. Use the controls at the top of the preview screen to print the report, display multiple or
selected pages, to zoom and to close the preview screen.
To save the displayed Search Results page to a file:
1. Open the Search Results page to be exported and select the File | Print to File menu
command (or expand the Print tool bar button and select the Print to File option).
2. The native Save As dialog will be displayed allowing you to specify the file name,
location and type of file to be saved (.xls or .csv).
3. After making your selections, use the OK button to save your selection and close the
dialog. Use the Cancel button to close the dialog without saving your selections.
Search Results
ChangeAuditor
141
Search Results Page
A new results page is created whenever a search is run. When a search is run, this page
displays detailed information about the audited events found as a result of the search.
The Search Results page consists of the following components:
• Tool Bar
• Search Results Grid
• Search Properties Tabs
• Event Details Pane
Search Results
142
ChangeAuditor
Tool Bar
Use the tool bar buttons to specify what is to be displayed at the bottom of the Search Results
page and/or to print the contents of the page:
Search Properties
Select the Search Properties tool bar button to display the search properties tabs across
the bottom of the page. These tabbed pages allow you to view the criteria used in the
search. This button is only available when the Event Details pane is being displayed.
Event Details
Select the Event Details tool bar button to display the Event Details pane at the bottom of
the page. This pane may contain additional information about the selected event. This
button is only available when the Search Properties tabs are being displayed.
Print
Use the Print button to send the current search results to the designated printer. When you
select this command, the native Print dialog will be displayed allowing you to specify
various print options.
Print | Print to File
Expand the Print button and select the Print to File command to save the current search
results to an Excel (.xls) or Comma Delimited (.csv) file. When you select this command,
the native Save As dialog will be displayed allowing you to specify the location, file name
and type of file to be created.
Print | Print Preview
Expand the Print button and select the Print Preview command to display the print layout
prior to printing it.
Print | Page Setup
Expand the Print button and select the Page Setup command to define the page settings
for printing. Selecting this command will display the native Page Setup dialog allowing you
to define the paper, page orientation and margins.
Search Results
ChangeAuditor
143
Search Results Grid
The Search Results Grid is the main display area of the Search Results page and displays the
audited events captured as a result of running a search from the Searches page.
The top area of the grid displays the following information:
Run on
The Run On field displays the date and time when the search was run.
Run Time
The Run Time field displays the amount of time it took to run the search.
Records
The Records field displays the total number of records returned.
Refresh
Use the Refresh button to redisplay the latest information.
Cancel
When a large number of records are being captured for display, the Refresh button will
become a Cancel button allowing you to cancel the search.
When a grouping is created (i.e., a column heading is dragged up into the heading area to group
the data), three icons are added to the heading area which can be used to display the data in
a different format.
NOTE: When multiple groupings are created (i.e., more than one heading is dragged to the
heading area), the pie chart and bar graph are not available.
Search Results
144
ChangeAuditor
The following icons/formats are available:
Data Grid
Select the data grid icon to redisplay the data in the grid format (default format).
Pie Chart
Select the pie chart icon to display a pie chart showing the correlated data. Move your
cursor over the pieces in the pie chart to display the label and number of items that make
up that piece of the pie.
Search Results
ChangeAuditor
145
Bar Graph
Select the bar graph icon to display a bar graph showing the correlated data. Move your
cursor over the bars in the graph to display the label and number of items that make up that
bar.
By default, the grid contains the following information about the audited events returned when
a search is run. (You can specify the columns, sort order and grouping for a search by using
the Advanced search properties tab.)
Severity
This column displays the severity assigned to a configuration change event:
•
High
•
Medium
•
Low
Time Detected
This column displays the date and time when the change took place.
Subsystem
This column defines the subsystem, or area of auditing, where the change event occurred.
User
This column displays the name of the user who initiated the change.
Event
This column displays the type of change that occurred.
Search Results
146
ChangeAuditor
Server
This column displays the name of the server where the change occurred.
Action
This column displays what change was made to the object.
Facility
This column defines the event class facility to which the change event belongs.
Site
This column displays the name of the site where the agented server resides.
Domain
This column displays the name of the domain to which the agented server belongs.
Right-clicking an entry in the search results grid, displays the following menu commands:
Copy
Use the Copy command to copy the event details for the selected audited event to the
clipboard.
NOTE: You can also hold down the Shift key while selecting the Copy command to
copy additional event details to the clipboard. This additional information may be
requested from the NetPro Technical Support staff for troubleshooting
purposes.
Email
Use the Email command to launch the email client that is configured on the client machine
allowing you to email the event details for the selected audited event. If no mail client is
configured, the New Connection Wizard will be launched allowing you to set up the mail
client to be used.
NOTE: You can also hold down the Shift key while selecting the Email command to
email additional event details. This additional information may be requested
from the NetPro Technical Support staff for troubleshooting purposes.
KnowledgeBase
Use the KnowledgeBase command to display the knowledge base entry for the selected
audited event.
Why
Use the Why command to enter a comment to the event details for the selected event.
Selecting this command will display the Why dialog allowing you to enter a new comment
or append to an existing one.
Show Properties | Hide Properties
When the Search Properties tool bar button is selected (highlighted), use the Show
Properties and Hide Properties commands to display or hide the Search Properties tabs
for the selected audited event.
Search Results
ChangeAuditor
147
Show Details | Hide Details
When Event Details tool bar button is selected (highlighted), use the Show Details and
Hide Details commands to display or hide the Event Details pane for the selected audited
event.
Search Properties Tabs
Use the Search Properties tool bar button or the Show Properties right-click command to
display the Search Properties tabs across the bottom of the screen. This view consists of
tabbed pages defining the criteria or properties which make up the selected search. The tabbed
pages displayed are:
• Info - displays the name and description of the search definition
• Who - displays the user(s), computer(s) and group(s) included (or excluded)
• What - displays ‘what’ objects were included (or excluded)
• Where - displays the site(s), domain(s) and agent(s) where the search was conducted
(or not conducted)
• When - displays the date and/or time range used to limit your search
• Why - displays the specific comments that were included in the search
• Alert - displays how and where alerts were dispatched
In addition, the following tabs can be displayed using the appropriate Action menu command:
• SQL - displays the SQL script used to create the selected search definition (Action |
Show SQL Tab).
• XML - displays the XML code used to render the results of the selected search (Action
| Show XML Tab)
• Advanced - displays the data (columns) to be retrieved from the database and the sort
order for displaying the retrieved data (Action | Show Advanced Tab)
Refer to Search Properties Tabs on page 76 for a detailed explanation of all the Search
Properties tabs.
Event Details Pane
The Event Details pane is displayed when you select the Event Details tool bar button or the
Show Details right-click command on a Search Results page, or when you double-click an
event in the search results grid on either the Overview page, a Search Results page or the Alert
History page.
Search Results
148
ChangeAuditor
This pane is displayed at the bottom of the screen (replaces the Search Properties tabs) and
provides the following details about the event selected/highlighted in the data grid at the top of
the page:
Severity
The severity level assigned to the search is displayed in the upper left-hand corner.
Who
This field specifies the name of the user who initiated the change.
Where
This field displays the name of the server where the change occurred.
When
This field specifies the date and time when the change occurred.
What
This field displays a brief description of the change that occurred. There are three basic
types of events generated that determine the 'what' information that will be displayed:
•
Occurrence events (e.g., an object is created or deleted)
•
Change events
•
Delta events (e.g., DACL/SACL changes)
Depending on the type of audited event, the following information may be displayed:
Sub-System
The first field defines the subsystem, or area of monitoring, where the change event
occurred (e.g., Active Directory, Service, Group Policy, etc.).
Action
This field defines the action associated with the selected event.
Facility
This field defines the event class facility to which the change event belongs.
Class
For Active Directory and Exchange events, this field displays the object class that was
modified.
Attribute
If an attribute has been modified, this field displays the name of the attribute.
Object
For Active Directory and Exchange events, this field displays the name of the object
that was modified.
Service
For Service events, this field displays the name of the service(s) that were modified.
Key
For Registry events, this field displays the name of the registry key that was modified.
Search Results
ChangeAuditor
149
Value
For Registry events, this field displays the registry value that was modified.
Policy
For Group Policy events, this field displays the name of the group policy that was
modified.
Section
For Group Policy events, this field displays what section of the group policy was
modified.
Item
For Group Policy events, this field displays the group policy item that was modified.
From
This text box lists the old value that was assigned to the object.
NOTE: This information does not apply to permission/ACL (Access Control List) type
changes or SQL events and is replaced with the Change Details section. This
information is also not available for occurrence type events, e.g., when an object
is created or deleted.
To
This text box lists the new value that is now assigned to the object.
NOTE: This information does not apply to permission/ACL type changes or SQL events
and is replaced with the Change Details section. This information is also not
available for occurrence type events, e.g., when an object is created or deleted.
The buttons across the top of this pane allow you to access the online knowledge base, copy
the details to the clipboard, or send the event details to another person.
Copy
Use the Copy button to copy the displayed audited event details to the clipboard.
NOTE: You can also hold down the Shift key while selecting the Copy button to copy
additional event details to the clipboard. This additional information may be
requested from the NetPro Technical Support staff for troubleshooting
purposes.
Email
Use the Email button to launch the email client that is configured on the client machine
allowing you to email the selected event details. If no mail client is configured, the New
Connection Wizard will be launched allowing you to set up the mail client to be used.
NOTE: You can also hold down the Shift key while selecting the Email button to email
additional event details. This additional information may be requested from the
NetPro Technical Support staff for troubleshooting purposes.
Print
Use the Print button to send the displayed audited event details to a designated printer.
Search Results
150
ChangeAuditor
Print | Print to File
Expand the Print button and select the Print to File command to save the displayed
audited event details to a file.
Print | Print Preview
Expand the Print button and select the Print Preview command to display the print layout
prior to printing it.
Print | Page Setup
Expand the Print button and select the Page Setup command to define the page settings
for printing. Selecting this command will display the native Page Setup dialog allowing you
to define the paper, page orientation and margins.
KnowledgeBase
Use the KnowledgeBase button to display the knowledge base entry for the selected
audited event.
Why
Use the Why button to enter a comment for the selected audited event. Selecting this
button will display the Why dialog allowing you to enter a new command or append to an
existing comment.
NOTE: You can display comments as an additional column in the main Search Results
grid by selecting/checking Comment in the left-most table on the Advanced tab.
Search Results
ChangeAuditor
151
ChangeAuditor Knowledge Base
ChangeAuditor’s knowledge base contains detailed descriptions of each audited event,
including information about how ChangeAuditor detected the configuration change event, what
the changed parameter controls, and the consequences of such a change. These knowledge
base entries may also contain links to articles or documents that offer additional information
about the audited event.
To launch the knowledge base:
• From the Search Results page, right-click an audited event in the Search Results grid
and select the KnowledgeBase menu command.
• From the Event Details pane, use the KnowledgeBase tool bar button.
NOTE: If the offline knowledge base is installed and the Actions | Use Offline
KnowledgeBase command is selected (checked), the local copy of the knowledge
base will be accessed; if not, the online version of the knowledge base will be
displayed. (To install the offline knowledge base, use the NetPro ChangeAuditor
Offline Knowledge Base.msi file. Please refer to the ChangeAuditor Installation Guide
for information on installing the offline knowledge base.)
Search Results
ChangeAuditor
153
Chapter 6: Custom Active Directory Auditing
ChangeAuditor provides in-depth, real-time auditing for key Active Directory configuration
changes. ChangeAuditor allows you to enable/disable the auditing of individual audited events
so that ChangeAuditor is auditing only those events that are vital to your organization’s
operation. In addition, ChangeAuditor allows you to modify the severity level (High, Medium, or
Low) and description assigned to each audited event. The severity level is used by
ChangeAuditor when processing events and to help you in determining the potential level of
risk associated with each configuration change event.
By default, ChangeAuditor audits the Enterprise for changes made to the user, group and
computer object classes. However, using the custom Active Directory Object Auditing feature,
you can go a step deeper and specify where you want to conduct the audit as well as the object
class(es) you want to audit. You can also use the Member of Group auditing feature to limit your
search to users based on their group membership.
ChangeAuditor’s Custom Attribute Auditing feature allows you to further customize
ChangeAuditor to meet your auditing requirements by specifying the individual schema
attributes to be audited. This feature also allows you to assign a severity for the attributes being
monitored.
This chapter explains how to use these features to customize ChangeAuditor to meet your
auditing needs:
• Enabling/disabling event auditing and modifying an event’s severity level or event class
description
• Defining custom Active Directory object auditing
• Defining custom attribute auditing
• Defining a Member of Group auditing list
Custom Active Directory Auditing
154
ChangeAuditor
Enabling/Disabling Event Auditing
ChangeAuditor allows you to enable or disable audited events to best suit your organization. In
addition, each event has been assigned a severity level and a description, which can also be
changed based on your organization’s operation. To view or modify the current event auditing
settings, use the Audit Events page, which is accessible through the Administration Tasks tab.
Please refer to the ChangeAuditor Event Reference Guide, for a complete list of the audited
events being audited by ChangeAuditor and their default severity setting. For a list of the events
that are disabled by default in ChangeAuditor, please refer to Appendix C: Disabled Events on
page 273.
To disable/enable individual events:
1. Open the Administration Tasks tab using the View | Administration menu command or
the F12 function key.
2. In the left-hand pane of the Administration Tasks tab, select Audit Events (under the
Auditing heading) to display the Audit Events page.
3. To disable an event, select the event to be disabled and select the Disable tool bar
button or place your cursor in the corresponding cell in the Enabled column and select
Disabled from the drop-down menu. (When using the Disable tool bar button, you can
select multiple events using the Shift or Ctrl keys.)
4. To enable an event, select the event to be enabled and select the Enable tool bar button
or place your cursor in the corresponding cell in the Enabled column and select Enabled
from the drop-down menu. (When using the Enable tool bar button, you can select
multiple events using the Shift or Ctrl keys.)
To modify an event’s severity level:
1. Open the Administration Tasks tab and then the Audit Events page.
2. Select one or more event(s) from the list and select the appropriate Severity (High,
Medium or Low) tool bar button. Use the Shift or Ctrl keys to select multiple events.
You can also change an individual event’s severity level by placing your cursor in the
corresponding cell in the Severity column and selecting the appropriate severity level
from the drop-down menu.
3. To reset an event’s severity to the factory default, select the event(s) and use the
Default tool bar button.
To modify an event class description:
1. Open the Administration Tasks tab and then the Audit Events page.
2. Select the event from the list and select the Edit tool bar button. Selecting this button
will display a dialog listing the existing description and allowing you to enter a new
description for the selected event.
3. On this dialog, enter the new description for the selected event and select OK.
Custom Active Directory Auditing
ChangeAuditor
155
Audit Events Page
The Audit Events page lists all of the events available for auditing by ChangeAuditor. It also
displays the facility to which the event belongs, the severity assigned to each event and if the
event is enabled or disabled.
NOTE: Changes made on this page are global and will apply to ALL NetPro Compliance
Agents.
The Audit Events page contains the following information/controls:
Audit Events list box
The Audit Events list box contains an alphabetical list of all the ChangeAuditor events
along with the following information:
•
Severity
•
Facility Name
•
Event Class
•
Enabled
Custom Active Directory Auditing
156
ChangeAuditor
To disable or change the severity of an event, select/highlight the event(s) to be disabled or
modified and select the appropriate button, as described below.
Edit
Use the Edit button to modify the event class description for an event. Selecting this button
will display a dialog listing the existing description and allowing you to enter a new
description for the selected event.
High
Use the High button to change the selected event(s) severity to High. The value in the
Severity column will change to ‘High’.
Medium
Use the Medium button to change the selected event(s) severity to Medium. The value in
the Severity column will change to ‘Medium’.
Low
Use the Low button to change the selected event(s) severity to Low. The value in the
Severity column will change to ‘Low’.
Enable
Use the Enable button to enable the selected disabled event(s). You can select multiple
events using the Shift or Ctrl keys.
Disable
Use the Disable button to disable the selected event(s). You can select multiple events
using the Shift or Ctrl keys. For a list of events that are disabled by default, please refer to
Appendix C: Disabled Events on page 273.
Default
Use the Default button to reset the severity and enabled settings of the selected event(s)
back to the factory defaults.
Print
Use the Print button to send the contents of the Audit Event Configuration dialog to a
designated printer.
Print | Print to File
Expand the Print button and select the Print to File command to save the contents of the
Audit Events page to either an Excel (.xls) or a Comma Delimited (.csv) file. Selecting this
button will display the native Save As dialog allowing you to specify a file name, location
and file type to be saved.
Print | Print Preview
Expand the Print button and select the Print Preview command to display the print layout
of the selected page prior to printing it.
Print | Page Setup
Expand the Print button and select the Page Setup command to define the page settings
for printing. Selecting this command will display the native Page Setup dialog allowing you
to define the paper, page orientation and margins.
Custom Active Directory Auditing
ChangeAuditor
157
Custom Active Directory Object Auditing
By default, ChangeAuditor audits the Enterprise for changes made to the user, group and
computer object classes. More specifically, an audited event is generated whenever an object
is added, moved, removed or renamed from one of these object classes. Using the Custom
Active Directory Object Auditing feature, you can however, go a step deeper and specify where
you want to conduct the audit (e.g., Enterprise, an individual object, etc.) as well as the object
class(es) to be audited.
To define custom Active Directory object auditing, use the Active Directory Auditing page, which
is accessible through the Administration Tasks tab.
To define custom Active Directory object auditing:
1. Use the View | Administration menu command (or F12) to open the Administration
Tasks tab.
2. From the left-hand pane, select Active Directory (under the Auditing heading) to
display the Active Directory Auditing page. (This page is displayed whenever the
Administration Tasks tab is initially opened.)
3. Use the Add tool bar button to launch the Audited Active Directory Object wizard, which
steps you through the process of defining the objects and object classes to be audited
by ChangeAuditor.
•
From the first page, select where to conduct the audit (i.e., the enterprise, an
object, an object and its direct child objects only, or an object and all child objects)
and what (i.e., directory object or container) to be audited.
•
On the second page, select the object classes to be audited.
4. After selecting the object classes to be audited, select the Finish button to save your
selection, close the wizard and return to the Active Directory Auditing page. The
selected Active Directory object will now be listed on the Active Directory Auditing page.
Custom Active Directory Auditing
158
ChangeAuditor
Active Directory Auditing Page
The Active Directory Auditing page contains a list of the Active Directory objects selected for
auditing by ChangeAuditor.
NOTE: If you receive a message stating that the client is unable to acquire exclusive access
to object monitoring, there is another user using the Active Directory Auditing page
and therefore, all of the tool bar buttons will be deactivated preventing you from
making any changes.
The Active Directory Auditing page contains the following information/controls:
Audited Objects
This list box contains an expandable view of the Active Directory objects selected for
auditing. Initially, the list box will contain an entry for auditing all user, computer, and group
object classes in the entire enterprise. The view groups the information by object (e.g.,
enterprise), which can be expanded to view the object class(es) and monitored attributes.
To add an object to this list, use the Add tool bar button. Once added, the following
information will be displayed:
Object
This column displays the distinguished name of object.
Scope
This column displays the scope of coverage: Forest, Object, One Level or SubTree.
If the view is not already expanded, click the expansion box to the left of an object to expand
the view to display the object class(es) and monitored attributed to be audited in the object.
Object Class
This column provides the object class being audited (e.g., computer, user, group, etc.)
Custom Active Directory Auditing
ChangeAuditor
159
NOTE: The Object Class cell in the main (topmost) heading is used for filtering data.
That is, as you enter characters into this cell, the client will redisplay only the
object classes that start with the character(s) entered, regardless of their object
category. See Filtering Data in Expanded Views on page 47 for more
information on using this feature.
Monitored Attributes
This column displays the number of schema attributes selected for auditing by
ChangeAuditor for each object class listed. Attribute auditing is specified using the
Attribute Auditing page.
Use the tool bar buttons across the top of this page as described below:
Add | Select Multiple Objects
Use the Add button (or expand the Add button and select the Select Multiple Objects
command) to launch the Audited Active Directory Object wizard which steps you through
the process of defining the objects, classes and/or attributes to be audited by
ChangeAuditor.
Delete
Use the Delete button to remove an entire object entry from the list box (e.g., auditing at
the Enterprise level).
Delete | Delete Object Class
Expand the Delete button and select the Delete Object Class option to delete an individual
object class from the list box (e.g., a group at the Enterprise level)
Edit
Use the Edit button to launch to the Audited Active Directory Object wizard to modify object,
class and/or attributes included in the selected audited object.
Print
Use the Print button to send the contents of the Active Directory Auditing page to a
designated printer.
Print | Print to File
Expand the Print button and select the Print to File command to save the contents of the
Active Directory Auditing page to either an Excel (.xls) or Comma Delimited (.csv) file. This
command will display the native Save As dialog allowing you to specify the file name,
location and file type to be saved.
Print | Print Preview
Expand the Print button and select the Print Preview command to display the print layout
of the selected page prior to printing it.
Print | Page Setup
Expand the Print button and select the Page Setup command to define the page settings
for printing. Selecting this command will display the native Page Setup dialog allowing you
to define the paper, page orientation and margins.
Custom Active Directory Auditing
160
ChangeAuditor
Audited Active Directory Object Wizard
The Audited Active Directory Object wizard is launched when the Add button is selected from
the tool bar of the Active Directory Auditing page. This wizard will step you through the process
of defining additional Active Directory objects to be audited by ChangeAuditor. It consists of the
following pages:
• Select Directory Object page - use this page to select a directory object or container
for auditing.
• Select Object Class page - use this page to select the object classes to be audited by
ChangeAuditor.
Select Directory Object Page
From the first page of the wizard, select where to conduct the audit (e.g., enterprise) and what
(i.e., directory object or container) is to be audited using the following controls:
Scope
Select the scope of coverage from the following options:
•
Enterprise - select this option to audit the entire enterprise
•
This Object - select this option to audit an individual object
•
This Object and Child Objects Only - select this option to audit an object and its
direct child objects
•
This Object and All Child Objects - select this option to audit an object and all of
its subordinate objects (all levels)
Custom Active Directory Auditing
ChangeAuditor
161
Object Picker
Use the Browse or Search pages to locate the directory object or container to be audited.
See Using the Object Picker on page 38 for a description of the Browse, Search and
Options pages.
Once you have located the desired directory object or container, select/highlight it and then
select Next to proceed to the next page.
Select Object Class Page
Use the controls on the second wizard page to select the object classes to be audited.
UnAudited Object Class
The list box to the left of this page contains a list of all the unaudited object classes available
for the object/container selected on the previous page. Select one or more unaudited object
classes and use the Add button to select them for auditing.
Audited Object Class
The list to the right of this page contains a list of all the object classes selected for auditing.
Select one or more audited object classes and use the Remove button to remove them
from auditing.
After selecting the object classes to be audited, select the Finish button to save your selection,
close the wizard and return to the Active Directory Auditing page. The selected object will be
listed on the Active Directory Auditing page.
Custom Active Directory Auditing
162
ChangeAuditor
Custom Attribute Auditing
Using the Custom Attribute Auditing feature, you can customize ChangeAuditor by specifying
the individual schema attributes to be audited. In addition to specifying individual attributes for
auditing, you can also assign a severity to the attributes being audited. Use the Attribute
Auditing page on the Administration Tasks tab to define custom attribute auditing.
NOTE: Every three hours, the repository builds a list of attributes from Active Directory and
saves it to the database.
To define custom attribute auditing:
1. Use the View | Administration menu command (or F12) to open the Administration
Tasks tab.
2. From the left-hand pane, select Attributes (under the Auditing heading) to open the
Attribute Auditing page.
3. Select an object class from the list box located across the top of this page. (This list box
contains the default object classes and the object classes selected on the Active
Directory Auditing page.) Selecting an entry in this list box, will populate the list boxes
across the bottom of the dialog with the applicable attributes.
4. In the Unmonitored Attribute list box, located in the lower left-hand pane of this page,
select one or more attributes and use the Add button to select them for auditing.
5. To change the severity level assigned to an attribute, in the right-hand list box, place
your cursor in the Severity cell and use the drop-down arrow to select the severity you
want to assign to the selected attribute.
6. To remove an attribute from auditing, select the attribute from the right-pane and select
the Remove button. Selecting this button will move the selected attribute back into the
Unmonitored Attribute list box.
7. Once you have selected at least one attribute for auditing, the associated Monitored
Attributes column in the list box across the top of this page will display the number of
attributes selected for auditing. This value will also be displayed in the Monitor Attributes
column back on the Active Directory Auditing page.
Custom Active Directory Auditing
ChangeAuditor
163
Attribute Auditing Page
The Attribute Auditing page is displayed when Attributes is selected in the Explorer View of the
Administration Tasks page. Using the Attribute Auditing feature, you can customize
ChangeAuditor to meet your auditing requirements by specifying the individual schema
attributes to be audited. In addition to specifying individual attributes for auditing, you can also
assign a severity.
The page consists of the following information/controls:
Attributes list box
The list box located across the top of this page lists the object classes that can be selected
to define attribute auditing. More specifically, this list box contains the object classes
selected on the Active Directory Auditing page. Selecting an entry in this list box, will
populate the list boxes across the bottom of the dialog with the applicable attributes. The
following information is displayed for each object class:
Severity
This column displays the severity assigned to the object class(es) listed. To change the
severity, place your cursor in the Severity cell and use the drop-down arrow to select
the severity you want to assign to the selected object.
Custom Active Directory Auditing
164
ChangeAuditor
Monitored Attributes
This column displays the number of attributes selected for auditing within each schema
class. This number should match the number of attributes displayed in the Monitored
Attributes list box at the bottom of the page (right pane).
Schema Class
This column displays the names of the different schema classes available for auditing.
Unmonitored Attributes list box
The Unmonitored Attributes list box, located in the lower left-hand pane of this page,
displays the attributes that are currently NOT being audited by ChangeAuditor for the
selected schema class. Select one or more attributes from this list box and use the Add
button to select them for auditing.
Monitored Attributes list box
The Monitored Attributes list box, located in the lower right-hand pane, contains the
attributes that are currently selected for auditing by ChangeAuditor for the selected schema
class. Select one or more attributes from this list box and use the Remove button to remove
them for auditing.
In addition to the attribute, the assigned severity is also displayed. To change the severity
level assigned to an attribute, place your cursor in the Severity cell and use the drop-down
arrow to select the severity you want to assign to the selected attribute.
Use the tool bar buttons to print the contents of the Attribute Auditing page:
Print
Use the Print button to send the contents of the Attribute Auditing page to a designated
printer.
Print | Print to File
Expand the Print button and select the Print to File option to save the contents of the
Attribute Auditing page to either an Excel (.xls) or Comma Delimited (.csv) file. This
command will display the native Save As dialog allowing you to specify the file name,
location and file type to be saved.
Print | Print Preview
Expand the Print button and select the Print Preview command to display the print layout
of the selected page prior to printing it.
Print | Page Setup
Expand the Print button and select the Page Setup command to define the page settings
for printing. Selecting this command will display the native Page Setup dialog allowing you
to define the paper, page orientation and margins.
Custom Active Directory Auditing
ChangeAuditor
165
Member of Group Auditing
The Member of Group auditing feature allows you to audit specific users based on their group
membership.
NOTE: By default, ChangeAuditor monitors all users; therefore, in order to use this feature,
you must first delete the user object class from the Active Directory Auditing page.
To define a Member of Group Auditing list:
1. Use the View | Administration menu command (or F12) to open the Administration
Tasks tab.
2. From the left-hand pane, select Member of Group (under the Auditing heading) to
display the Member of Group Auditing page.
3. Use the Add tool bar button to display the Select one or more Directory Objects dialog
to locate and select the group(s) whose users are to be audited by ChangeAuditor.
4. Use the Browse and Search pages to locate and select a group and use the Add button
to add the selected group to the Selected Objects list box at the bottom of the dialog.
5. Repeat step 4 until you have selected all of the groups you want to add to the Member
of Groups Auditing list and use the Select button to close the dialog and return to the
Member of Group Auditing page, where your selections will now be listed.
Member of Group Auditing Page
The Member of Group Auditing page is displayed when Member of Group is selected in the
explorer view of the Administration Tasks page. Using the Member of Group Auditing feature,
you can customize ChangeAuditor to meet your auditing requirements by specifying the users
to be audited based on their group membership.
Custom Active Directory Auditing
166
ChangeAuditor
Member of Groups Auditing List
This list contains a list of groups whose users are to be audited by ChangeAuditor based
on their group membership. The following information is displayed for each group:
Type
This column displays the type of directory object selected for Member of Group auditing
(e.g., group)
Group
This column displays the name of the group
DisplayName
If applicable, this column shows the display name assigned to the groups listed.
Use the tool bar buttons to add or delete groups to the list and to print the contents of the
Member of Group Auditing page:
Add
Select the Add button to add a group to the Member of Group auditing list. Selecting this
command will display the Select one or more Directory Objects dialog allowing you to select
one or more groups to be added to the Member of Groups auditing list.
See Select One or More Directory Objects Dialog on page 96 for more information about
using this dialog to locate and select groups for the Member of Group auditing list.
Delete
Use the Delete button to remove a entry from the Member of Group Auditing list.
Print
Use the Print button to send the contents of the Member of Group Auditing page to a
designated printer.
Print | Print to File
Expand the Print button and select the Print to File option to save the contents of the
Member of Group Auditing page to either an Excel (.xls) or Comma Delimited (.csv) file.
This command will display the native Save As dialog allowing you to specify the file name,
location and file type to be saved.
Print | Print Preview
Expand the Print button and select the Print Preview command to display the print layout
of the selected page prior to printing it.
Print | Page Setup
Expand the Print button and select the Page Setup command to define the page settings
for printing. Selecting this command will display the native Page Setup dialog allowing you
to define the paper, page orientation and margins.
Custom Active Directory Auditing
ChangeAuditor
167
Chapter 7: Exchange Mailbox Auditing
NOTE: Exchange auditing is ONLY available if you have licensed the ChangeAuditor for
Exchange add-on module. Please contact your NetPro sales representative for more
information.
To enable Exchange Mailbox auditing, you must first define whose (users or groups) mailbox
activities are to be audited.
1. Open the Administration Tasks | Exchange Mailbox Auditing page to create a list of
directory objects whose mailbox activities are to be audited. For more information on
creating an Exchange Mailbox Auditing list, please refer to Defining Exchange Mailbox
Auditing List on page 168.
2. In ChangeAuditor, some of the Exchange Mailbox events are disabled by default due to
the potentially high volume of events that can occur. For a complete list of Exchange
Monitoring events that are disabled by default, please see Appendix C: Disabled
Events on page 273 or the ChangeAuditor Event Reference Guide.
If you want to capture audited events for any of these events, you will need to enable
them from the Administration Tasks | Audit Events page. For more information on
enabling/disabling audit events, please refer to Enabling/Disabling Event Auditing on
page 154.
Warning
When the Message read by non-owner event is enabled and a mailbox
is moved from one mailbox store to another, ChangeAuditor will
generate an audited event for every email in the mailbox that is being
moved. For example, if a user has 1,000 emails in his/her mailbox, you
will receive 1,000 Message read by non-owner events in ChangeAuditor.
This chapter provides instructions for defining an Exchange Mailbox Auditing list and a
description of the Exchange Mailbox Auditing page.
Exchange Mailbox Auditing
168
ChangeAuditor
Defining Exchange Mailbox Auditing List
The list of Directory Objects on the Exchange Mailbox Auditing page defines what directory
objects’ mailbox activities will be audited by ChangeAuditor.
To define an Exchange Mailbox Auditing list:
1. Use the View | Administration menu command (or F12) to open the Administration
Tasks tab.
2. From the left-hand pane, select Exchange Mailbox (under the Auditing heading) to
open the Exchange Mailbox Auditing page.
3. Select the Add tool bar button to display the Select One or More Directory Objects
dialog allowing you to select the directory object(s) to be added to the Exchange Mailbox
Auditing list.
4. Use the Browse and Search pages to locate and select a directory object (i.e., BuiltinDomain, Domain-DNS, Organizational Unit, User or Container) and use the Add button
to add the selected object to the Selected Object list at the bottom of this dialog.
5. Repeat Step 4 until you have selected all the directory objects you want added to the
Exchange Mailbox Auditing list and use the Select button to close this dialog and return
to the Exchange Mailbox Auditing page, where your selections will now be listed.
Exchange Mailbox Auditing
ChangeAuditor
169
Exchange Mailbox Auditing Page
To enable Exchange Mailbox auditing in ChangeAuditor, you must first specify whose mailbox
activities are to be audited. To do this, you will use the Exchange Mailbox Auditing page, which
is displayed when Exchange Mailbox is selected in the navigation pane of the Administration
Tasks page.
NOTE: The directory objects listed on this page only apply to the events grouped under the
Exchange Mailbox Monitoring facility, not any of the other Exchange facilities.
This page consists of the following information/controls:
Exchange Mailbox Auditing list box
This list box lists the directory objects selected for Exchange Mailbox auditing in
ChangeAuditor. The following information is displayed for each object:
Type
This column displays the type of directory object selected for Exchange Mailbox
auditing (i.e., Builtin-Domain, Domain-DNS, Organizational Unit, User, or Container)
Exchange Mailbox
This column displays the name of the Exchange mailbox associated with the directory
objects listed.
Display Name
If applicable, this column shows the display name assigned to the directory objects
listed.
Exchange Mailbox Auditing
170
ChangeAuditor
Use the tool bar buttons across the top of this page as described below:
Add
Use the Add button to define whose Exchange Mailbox activities are to be audited.
Selecting this button will display the Select one or more Directory Objects dialog allowing
you to select the directory object(s) to be audited.
See Select One or More Directory Objects Dialog on page 96 for more information about
using this dialog to locate and select directory objects for the Exchange Mailbox Auditing
list.
Delete
When one or more directory objects are selected in the list box, use the Delete button to
remove the selected directory object(s) from the list box.
Print
Use the Print button to send the contents of the Exchange Mailbox Auditing page to a
designated printer
Print | Print to File
Expand the Print button and select the Print to File command to save the contents of the
Exchange Mailbox Auditing page to a file. This command will display the native Save As
dialog allowing you to specify the file name and location.
Print | Print Preview
Expand the Print button and select the Print Preview command to display the print layout
of the selected page prior to printing it.
Print | Page Setup
Expand the Print button and select the Page Setup command to define the page settings
for printing. Selecting this command will display the native Page Setup dialog allowing you
to define the paper, page orientation and margins.
Exchange Mailbox Auditing
ChangeAuditor
171
Chapter 8: File System Auditing
ChangeAuditor offers expanded File System coverage to include auditing of both file and folder
reads and opens. Granular selection allows the auditing scope to be set on an individual file or
folder or an entire sub-tree. The File System Auditing feature also allows you to include or
exclude certain files or folders from the audit scope in order to ensure a faster and more efficient
audit process.
NOTE: File System auditing is ONLY available if you have licensed the ChangeAuditor for File
System add-on module. Please contact your NetPro sales representative for more
information.
To capture File System audited events in ChangeAuditor, you must first complete the following
steps to define the files/folders to be audited and the operations to be captured:
1. Create a File System Auditing template which specifies the files/folders and operations
to be audited. For more information on creating a template, please refer to File Auditing
Wizard on page 177.
2. Add this template to an agent configuration. For more information on how to add a
template to an agent configuration, please refer to Defining Agent Configurations on
page 218.
3. Assign the agent configuration to NetPro Compliance Agents. For more information on
how to assign an agent configuration to an agent, please refer to Assigning Agent
Configurations to Agents on page 219.
This chapter provides instructions for creating File System Auditing templates, as well as a
description of the File System Auditing page, File Auditing wizard and File System Auditing
Configuration dialog.
File System Auditing
172
ChangeAuditor
Creating File System Auditing Templates
Best Practice: NetPro recommends a phased approach to setting up file/folder auditing for all
servers. A phased approach will allow file/folder auditing to be deployed in stages so that the
repository performance in not degraded.
In order to enable File System auditing in ChangeAuditor, you must first create a File System
Auditing template which specifies the files/folders and changes to be audited. You can then add
this template to an agent configuration, which then needs to be assigned to the appropriate
NetPro Compliance Agents.
To create an auditing template for a file:
1. Use the View | Administration menu command (or F12) to open the Administration
Tasks tab.
2. From the left-hand pane, select File System (under the Auditing heading) to open the
File System Auditing page.
3. Use the Add | Add Template button to launch the File Auditing wizard which will step
you through the process of creating a File System Auditing template.
•
From the first page of the wizard, enter a name for the template and select the File
option to audit a single file. Then enter a file name (i.e., Drive:\Folder\FileName.ext)
or use the Browse button to the far right to locate and select the file to be audited.
•
On the last page of the wizard, select (check) the file operations to be audited.
4. After specifying the changes to be audited, use the Finish button to create the template,
close the dialog and return to the File System Auditing page. The file and operations
specified in the wizard will be displayed in the templates list box.
5. To add another file to this template, select the template and use the Add | Add File Path
tool bar button. Selecting this button will launch the File Auditing wizard allowing you to
specify the file to be added to the selected template.
6. Once you have defined a File System Auditing template, open the Agent Configuration
page to add this template to an agent configuration.
•
Select the Configurations button to open the Configuration Setup dialog.
•
Select an existing configuration from the list box or use the Add button to create a
new agent configuration.
•
Expand the File System Auditing section and select the Add button. Selecting this
button will display a dialog from which you can select the template to be added to
the selected configuration.
7. After adding the File System Auditing template to an agent configuration, back on the
Agent Configuration page, select this agent configuration and use the Assign button to
assign it to the appropriate NetPro Compliance Agents.
File System Auditing
ChangeAuditor
173
To create an auditing template for a folder:
1. Use the View | Administration menu command (or F12) to open the Administration
Tasks tab.
2. From the left-hand pane, select File System (under the Auditing heading) to open the
File System Auditing page.
3. Use the Add | Add Template button to launch the File Auditing Wizard which will step
you through the process of creating a File System Auditing template.
•
From the first page of the wizard, enter a name for the template and select the
Folder option to audit a folder or set of files. Enter a folder name (i.e.,
Drive:\Folder\) or use the drop-down arrow or the Browse button to select the
folder to be audited.
When the Folder option is selected, you will be presented with the following
options to define the scope of coverage for your audit:
•
•
•
This Object
•
This Object and Child Objects Only
•
This Object and All Child Objects
If you selected either the This Object and Child Objects Only or This Object and
All Child Objects option on the first page, three additional pages will be displayed:
•
On the Select Files/Folders page, you will be prompted to specify the name
of the file(s)/folder(s) to be audited.
•
On the File Extension Exclusion page, you can enter the file extension(s)
that are to be excluded from being audited.
•
On the File/Folder Path Exclusion page, you can enter the file and/or folder
paths to be excluded from being audited.
On the last page of the wizard, select (check) the operations to be included in the
template.
4. After specifying the changes to be audited, use the Finish button to create the template,
close the dialog and return to the File System Auditing page. The folder and options
specified in the wizard will be displayed in the templates list box.
5. To add another folder to this template, select the template and use the Add | Add File
Path tool bar button. Selecting this button will launch the File Auditing wizard allowing
you to specify the folder to be added to the selected template.
6. Once you have defined a File System Auditing template, open the Agent Configuration
page to add this template to an agent configuration.
•
Select the Configurations button to open the Configuration Setup dialog.
•
Select an existing configuration from the list box or use the Add button to create a
new agent configuration.
•
Expand the File System Auditing section and select the Add button. Selecting this
button will display a dialog from which you can select the template to be added to
the selected configuration.
File System Auditing
174
ChangeAuditor
7. After adding the File System Auditing template to an agent configuration, back on the
Agent Configuration page, select this agent configuration and use the Assign button to
assign it to the appropriate NetPro Compliance Agents.
To create a template from the Agent Configuration page:
1. Use the View | Administration menu command (or F12) to open the Administration
Tasks tab.
2. From the left-hand pane, select Agents (under the Configuration heading) to display the
Agent Configuration page.
3. Select the Configurations button to display the Configuration Setup dialog which
contains a list of configuration definitions already defined as well as the means for
creating a new configuration.
4. Select an existing template from the list box or use the Add button to create a new
configuration.
5. Expand the File System Auditing section in the right-hand pane and select the Edit
button which will display the File Auditing Configuration dialog.
6. On this dialog, select the Add Template button to launch the File Auditing wizard which
will step you through the process of creating a new template.
7. After specifying the file(s) and/or folder(s) and operations to be audited, use the Finish
button to create the template, close the dialog and return to the File Auditing
Configuration dialog.
8. To add another file or folder to this template, select the template and use the Add Path
button. Selecting this button will launch the File Auditing wizard allowing you to specify
the folder to be added to the selected template.
9. Select OK to close the dialog and return to the Configuration Setup dialog.
10.Back on the Configuration Setup dialog, select this template from the list box and use
the Add button in the File System Auditing section to add this template to the selected
agent configuration. Select OK to save your selection and close the dialog.
11.Back on the Agent Configuration page, select this agent configuration and use the
Assign button to assign it to the appropriate NetPro Compliance Agents.
File System Auditing
ChangeAuditor
175
File System Auditing Page
Select File System (under the Auditing heading) from the navigation pane of the Administration
Tasks tab to display the File System Auditing page. From this page you can launch the File
Auditing wizard to specify a file or folder to be audited. You can also edit existing templates and
remove templates that are no longer being used.
The File System Auditing page contains the following information:
Templates List Box
The Templates list box contains an expandable view of all the File System Auditing
templates that have been previously defined. To add a new template to this list, use the
Add | Add Template tool bar button. Once added, the following information is provided for
each template:
Template Name
This column displays the name assigned to the template when it was created. Click the
expansion box to the left of the Template Name to expand this view and display the
following details for each template:
File Path
This column displays the name of the file path or folder included in the File System
Auditing template.
NOTE: The File Path cell in the main (topmost) heading is used for filtering data.
That is, as you enter characters into this cell, the client will redisplay only
the file paths that contain the character(s) entered, regardless of the File
System template to which they belong. See Filtering Data in Expanded
Views on page 47 for more information on using this feature.
File System Auditing
176
ChangeAuditor
Include Ext
This column displays the names of the file or folder to be audited (or a file mask) in
each file path listed (i.e., for files, the file name specified on the first page of the
wizard and for folders, the file or folder specified on the Select Files/Folders page
of the wizard).
Exclude Ext
This column displays the names of the file extensions that were marked for
exclusion from File System auditing (i.e., added to the Excluded File Extensions list
box in the in the File Extension Exclusion page of the wizard).
Exclude Path
This column displays the names of the individual files/folders selected for exclusion
from File System auditing (i.e., added to the Excluded Paths list box in the File/
Folder Path Exclusion page of the wizard.)
Scope
This column indicates the scope of coverage specified for each file path in the
selected template. For files, this column will be One Level. For folders, this column
will depend on the scope option selected on the first page of the wizard:
•
Object - This Object scope
•
One Level - This Object and Child Object Only scope
•
Subtree - This Object and All Child Objects scope
Operations
This column displays the file/folder changes selected for auditing on the last page
of the wizard. Hover your mouse over this cell to view all of the operations included
in the template.
Use the tool bar buttons as described below:
Add | Add Template
Use the Add button (or expand the Add button and select the Add Template option) to
create a new template. Selecting this button will launch the File Auditing wizard which will
step you through the process of creating a File System Auditing template.
Add | Add File Path
Expand the Add button and select the Add File Path option to add files or folders to the
selected template. When this button is selected, the File Auditing wizard will be displayed,
allowing you to specify the file or folder to be added and the changes to be audited.
Delete | Delete Template
When a template is selected in the list box, use the Delete button to remove the selected
template.
Delete | Delete File Path
When a file path is selected in the list box, use the Delete button to remove the selected
file path from the file system auditing template.
File System Auditing
ChangeAuditor
177
Edit File Path Options
Use the Edit File Path Options button to modify the options currently selected for the
selected file path (e.g., scope, excluded file extensions, excluded files/folders, or
operations to be audited).
Print
Use the Print button to send the contents of the File System Auditing page to a designated
printer
Print | Print to File
Expand the Print button and select the Print to File command to save the contents of the
File System Auditing page to a file. This command will display the native Save As dialog
allowing you to specify the file name and location.
Print | Print Preview
Expand the Print button and select the Print Preview command to display the print layout
of the selected page.
Print | Page Setup
Expand the Print button and select the Page Setup command to define the page settings
for printing. Selecting this command will display the native Page Setup dialog allowing you
to define the paper, page orientation and margins.
File Auditing Wizard
The File Auditing wizard is displayed when you select the Add | Add Template button on the
File System Auditing page. This wizard steps you through the process of creating a new file
system template, identifying the files and/or directories to be included (or excluded) in the
template. You will also use this wizard to modify a previously defined File System Auditing
template or to add additional files/folders to a template (Add | Add File Path tool bar button).
The File Auditing wizard consists of the following pages:
• Define Template page
• Select Files/Folders page (displayed when Folders option with This Object and Child
Objects Only or This Object and All Child Objects is selected on the first page)
• File Extension Exclusion page (displayed when Folders option with This Object and
Child Objects Only or This Object and All Child Objects is selected on the first page)
• File/Folder Path Exclusion page (displayed when Folders option with This Object and
Child Objects Only or This Object and All Child Objects is selected on the first page)
• Select File/Folder Change page
File System Auditing
178
ChangeAuditor
Define Template Page
From the first page of the wizard, enter a name for the template and select the appropriate
option to define what you want to audit.
Template Name
Enter a descriptive name for the file system template being created.
Select a:
Select one of the following options to define auditing for a file or folder:
•
File - select this option to audit a single file. Then enter a file name (i.e.,
Drive:\Folder\FileName.ext) or use the Browse button to the far right to locate and
select the file to be audited.
•
Folder - select this option to audit a folder or a set of files. Then enter a folder name
(i.e., Drive:\Folder\) or use the drop-down arrow or the Browse button to select the
folder to be audited.
File System Auditing
ChangeAuditor
179
Scope
When the Folder option is selected, you will be presented with the following options to
define the scope of coverage for your audit:
•
This Object - select this option to audit only the selected folder, not its files or
subfolders. (Default)
•
This Object and Child Objects Only - select this option to audit the selected
folder and its direct files and subfolders. This is not recursive.
•
This Object and All Child Objects - select this option to audit this folder and all of
its files and subfolders.
After providing a template name, specifying a file or folder and selecting the appropriate scope
option(s), use the Next button to proceed to the next page.
File System Auditing
180
ChangeAuditor
Select File/Folder Page
If you selected the Folder option and either the This Object and Child Objects Only or This
Object and All Child Objects option on the first page, this page will be displayed allowing you
to specify the name of the file(s)/folder(s) to be audited.
Name of File/Folder
Place your cursor in the text box at the top of this page and enter the name of the file or
folder to be audited.
NOTE: You can use a mask to select a group of files and/or folders, using any
combination of ? and * wildcards (e.g. *.*, *.exe, security*, ?.png, *abc?.tx?). To
specify more than one mask, use a vertical bar to separate your entries (e.g.,
*.tmp|.exe|?.png)
Select the appropriate option to specify whether you want to audit files, folders or both:
• Audit the files that match this name (Default)
• Audit the folders that match this name
• Audit both the files and folders that match this name
After specifying the files/folders to be audited, select the Next button to proceed to the next
wizard page.
File System Auditing
ChangeAuditor
181
File Extension Exclusion Page
If you selected the Folder option and either the This Object and Child Objects Only or This
Object and All Child Objects option on the first page, this page will be displayed allowing you
to exclude individual file extensions from being audited. Optionally, use the options on this page
to mark any file extensions that you want to exclude from being audited.
File Extensions
Place your cursor in the text box on this page and enter the file extensions (e.g., *.log, *.tmp,
*.exe) that are to be excluded from the selected template. Use a comma to separate
multiple entries on a single line or add each file extension separately.
NOTE: File extensions MUST be proceeded by an asterisk (e.g., *.log).
Add
Use the Add button to add the specified file extension to the Excluded File Extensions list
box.
Remove
Use the Remove button remove the selected entries from the exclusion from the Excluded
File Extensions list. This button is only available when there is an entry in the Excluded File
Extensions list box.
Excluded File Extensions
This list box displays the file extensions selected for exclusion from being audited.
Once you have specified the file extensions to be excluded, select the Next button to proceed
to the next wizard page.
File System Auditing
182
ChangeAuditor
File/Folder Path Exclusion Page
If you selected the Folder option and either the This Object and Child Objects Only or This
Object and All Child Objects option on the first page, this page will be displayed allowing you
to exclude individual files or folders from being audited. Optionally, use the options on this page
to mark any files or folders from being audited.
Select a:
Select either the File or Folder option to specify what you want to exclude.
Path
The path field is populated based on the selection made on the first page of the wizard. Use
the Browse button, to the right of this field, to locate and select an individual file or folder
within that path that is to be excluded from ChangeAuditor auditing. When you select an
individual file or folder, the path field will be updated to reflect your selection.
NOTE: You can use a mask to select a group of files, using any combination of ? and *
wildcards (e.g. c:\windows\nt*install). To specify more than one mask, use a
vertical bar to separate your entries. When using wildcards to exclude a group
of files, the exclusion is non-recursive.
Add
After identifying the file/folder path, use the Add button to add this path to the Excluded
Paths list box. This button is only available after you have identified an individual file/folder
to be excluded.
Remove
Use the Remove button to remove the selected path from the exclusion list. This button is
only available when there is an entry in the Excluded Paths list box.
File System Auditing
ChangeAuditor
183
Excluded Paths
This list box displays the file(s) and/or folder(s) that are to be excluded from auditing.
Once you have specified the file(s) and/or folder(s) to be excluded, select the Next button to
proceed to the next wizard page.
Select Files/Folders Change Page
This page of the wizard will be populated based on whether you are auditing a file or a folder.
From this page, select (check) the operations to be included in the auditing template. You must
select at least one operation.
When a File is selected, the following changes can be selected for auditing:
• File access rights changed
• File attribute changed
• File auditing changed
• File created
• File deleted
• File last write changed
• File moved
• File opened (N/A when the ‘This Object and All Child Objects’ option is selected on the
first page of the File Auditing Wizard.)
• File ownership changed
• File renamed
• Junction Point created
• Junction Point deleted
File System Auditing
184
ChangeAuditor
When a Folder is selected, the following changes can be selected for auditing:
• Folder access rights changed
• Folder attribute changed
• Folder auditing changed
• Folder created
• Folder deleted
• Folder moved
• Folder opened (N/A when the ‘This Object and All Child Objects’ option is selected on
the first page of the File Auditing Wizard.)
• Folder ownership changed
• Folder removed
• Junction Point created
• Junction Point deleted
Select All
Use the Select All button to select (check) all of the changes listed.
Unselect All
Use the Unselect All button to deselect (uncheck) all of the changes listed.
After specifying the changes to be audited, use the Finish button to create the template, close
the dialog and return to the File System Auditing page. The file/folder and options specified in
the wizard will be displayed in the Templates list box.
File System Auditing
ChangeAuditor
185
File Auditing Configuration Dialog
The File Auditing Configuration dialog is displayed when you select the Edit button in the File
System Auditing section on the Configuration Setup dialog. From this dialog, you can create a
new template, remove a template and add, delete or edit a path in a previously defined
template.
When expanded, the list box will display the following details about the File System Auditing
templates currently defined:
• Template Name - name assigned to template when it was created.
• File Path - name of the file path(s) or folder(s) included in the template.
• Include Ext - file extensions included in the template.
• Exclude Ext - file extension(s) marked for exclusion from auditing.
• Exclude Path - file path(s) marked for exclusion from auditing.
• Scope - scope of coverage.
• Operations - file/folder changes selected for auditing.
Use the buttons across the bottom of this dialog as described below:
Add Template
Use the Add Template button to create a new template, which can then be added to the
selected agent configuration. Selecting this button will launch the File Auditing wizard which
will step you through the process of creating a new File System Auditing template.
Delete Template
When a template is selected in the list box, use the Delete Template button to delete the
selected template.
File System Auditing
186
ChangeAuditor
Add Path
When a template is selected in the list box, use the Add Path button to add additional files/
folders to the selected template. Selecting this button will launch the File Auditing wizard
allowing you to specify the additional file path to be added.
Delete Path
When a file path is selected in the list box, use the Delete Path button to remove the
selected file path from the File System Auditing template.
Edit Path
When a file path is selected in the list box, use the Edit Path button to modify the scope,
excluded file extensions, excluded file/folder paths, or operations currently selected for
auditing for the selected file/folder path.
File System Auditing
ChangeAuditor
187
Chapter 9: Registry Auditing
The ability to audit registry settings improves operational efficiency dramatically. For example,
some applications, such as virus scanning software, modify registry keys when an update is
installed. By capturing these change events proactively, Administrators can determine whether
or not specific machines received an update.
Further, other applications may warrant the tracking of modifications to certain registry settings
to ensure that they have not been tampered with. ChangeAuditor’s enhanced registry auditing
feature allows you to audit changes to a specific key or to a folder and its sub folders.
To capture Registry audited events in ChangeAuditor, you must first complete the following
steps to define the registry keys to be audited and the changes to be captured:
1. Create a Registry Auditing template which specifies the registry key(s) and values to be
audited. For more information on creating a Registry Auditing template, please refer to
Registry Auditing Wizard on page 192.
2. Add this template to an agent configuration. For more information on adding a Registry
Auditing template to an agent configuration, please refer to Defining Agent
Configurations on page 218.
3. Assign the agent configuration to NetPro Compliance Agents. For more information on
assigning an agent configuration to an agent, please refer to Assigning Agent
Configurations to Agents on page 219.
This chapter provides instructions for creating Registry Auditing templates, as well as a
description of the Registry Auditing page, Registry Auditing wizard and Registry Auditing
Configuration dialog.
Registry Auditing
188
ChangeAuditor
Creating Registry Auditing Templates
In order to enable custom registry auditing in ChangeAuditor, you must first create a Registry
Auditing template which specifies the registry keys and values to be audited. You can then
assign this template to an agent configuration.
To create a Registry Auditing template:
1. Use the View | Administration menu command (or F12) to open the Administration
Tasks tab.
2. From the left-hand pane, select Registry (under the Auditing heading) to open the
Registry Auditing page.
3. Use the Add | Add Template button to launch the Registry Auditing wizard which will
step you through the process of creating a Registry Auditing template.
•
From the first page of the wizard, enter a name for the template, select the registry
key in the HKEY_LOCAL_MACHINE hive to be audited and the scope of coverage
(e.g., a single object, its child objects, etc.).
•
If you selected the This Object and Child Objects Only option on the first page
of the wizard, an additional page will be displayed allowing you specify whether you
want to audit all values or a specific value for the selected key.
•
On the final page of the Registry Auditing wizard, select (check) all of the types of
changes (e.g. registry key added, registry key deleted) that are to be audited in the
selected registry key.
4. After specifying the changes to be audited, use the Finish button to create the template,
close the dialog and return to the Registry Auditing page. The registry key and options
specified in the wizard will be displayed in the templates list box.
5. To add another registry object to this template, select the template and use the Add |
Add Registry Object tool bar button. Selecting this button will launch the Registry
Auditing wizard allowing you to specify the registry object to be added to the selected
template.
6. Once you have defined a Registry Auditing template, open the Agent Configuration
page to add this template to an agent configuration.
•
Select the Configurations button to open the Configuration Setup dialog.
•
Select an existing configuration from the list box or use the Add button to create a
new agent configuration.
•
Expand the Registry Auditing section and select the Add button. Selecting this
button will display a dialog from which you can select the template to be added to
the selected configuration.
7. After adding the Registry Auditing template to an agent configuration, back on the Agent
Configuration page, select this agent configuration and use the Assign button to assign
it to the appropriate NetPro Compliance Agents.
Registry Auditing
ChangeAuditor
189
To create a template from the Agent Configuration page:
1. Use the View | Administration menu command (or F12) to open the Administration
Tasks tab.
2. From the left-hand pane, select Agents (under the Configuration heading) to display the
Agent Configuration page.
3. Select the Configurations button to display the Configuration Setup dialog which
contains a list of configuration definitions already defined as well as the means for
creating a new configuration.
4. Select an existing template from the list box or use the Add button to create a new
configuration.
5. Expand the Registry Auditing section in the right-hand pane and select the Edit button
which will display the Registry Auditing Configuration dialog.
6. On this dialog, select the Add Template button to launch the Registry Auditing wizard
which will step you through the process of creating a new template.
7. After specifying the registry key(s) and values to be audited, use the Finish button to
create the template, close the dialog and return to the Registry Auditing Configuration
dialog.
8. To add another registry object to this template, select the template and use the Add
Path tool bar button. Selecting this button will launch the Registry Auditing wizard
allowing you to specify the registry object to be added to the selected template.
9. Select OK to close the dialog and return to the Configuration Setup dialog.
10.Back on the Configuration Setup dialog, select this template from the list box and use
the Add button in the Registry Auditing section to add this template to the selected
agent configuration. Select OK to save your selection and close the dialog.
11.Back on the Agent Configuration page, select this agent configuration and use the
Assign button to assign it to the appropriate NetPro Compliance Agents.
Registry Auditing
190
ChangeAuditor
Registry Auditing Page
The Registry Auditing page is displayed when Registry (under the Auditing heading) is
selected in the explorer view of the Administration Tasks page. From this page you can launch
the Registry Auditing wizard to specify a registry key to be audited. You can also edit existing
templates and remove templates that are no longer being used.
The Registry Auditing page consists of the following information:
Templates
This list box contains an expandable view of all the Registry Auditing templates that have
been previously defined. To add a new template to this list, use the Add tool bar button.
Once added, the following information is provided for each template:
Template Name
This column displays the name assigned to the template when it was created. Click the
expansion box to the left of the Template Name to expand this view and display the
following details about the template:
Path
This column displays the name of the file path for the selected registry key in the
HKEY_LOCAL_MACHINE hive.
NOTE: The Path cell in the main (topmost) heading is used for filtering data. That
is, as you enter characters into this cell, the client will redisplay only the
paths that contain the character(s) entered, regardless of the Registry
template to which they belong. See Filtering Data in Expanded Views on
page 47 for more information on using this feature.
Registry Auditing
ChangeAuditor
191
Scope
This column indicates whether all sub-folders are also included in the selected
Registry Auditing template.
Actions
This column displays the registry changes selected for auditing on the last page of
the wizard. Hover your mouse over this cell to view all of the actions included in the
template.
Value
If applicable, this column displays the value entered when the template was
created. That is, the specific value selected for auditing on the second page of the
wizard (only applies to ‘This Object and Child Objects Only’ scope).
Use the tool bar buttons as described below:
Add | Add Template
Use the Add button (or expand the Add button and select the Add Template option) to
create a new registry template. Selecting this button will launch the Registry Auditing
Wizard which steps you through the process of defining the registry key and registry key
changes to be included in this template.
Add | Add Registry Object
Expand the Add button and select the Add Registry Object option to add an additional
registry object to the selected template. When this button is selected, the Registry Auditing
Wizard will be displayed allowing you to select the registry object to be added.
Delete | Delete Template
When a template is selected in the list box, use the Delete button to remove the selected
template from the list box.
Delete | Delete Registry Object
When an individual registry object is selected in the list box, use the Delete button to
remove the selected registry object from the registry template. Note that if you confirm to
delete the last registry object in the template, you will also delete the template itself.
Edit Registry Object Options
Use the Edit Registry Object Options button to launch the Registry Auditing wizard to
modify the current options used to create the selected Registry Auditing template.
Print
Use the Print button to send the contents of the Registry Auditing page to a designated
printer.
Print | Print to File
Expand the Print button and select the Print to File command to save the contents of the
Registry Auditing page to an Excel (.xls) or Comma Delimited (.csv) file. This command will
display the native Save As dialog allowing you to specify the file name, location and file
type.
Registry Auditing
192
ChangeAuditor
Print | Print Preview
Expand the Print button and select the Print Preview command to display the print layout
of the selected page.
Print | Page Setup
Expand the Print button and select the Page Setup command to define the page settings
for printing. Selecting this command will display the native Page Setup dialog allowing you
to define the paper, page orientation and margins.
Registry Auditing Wizard
The Registry Auditing wizard is displayed when you select the Add | Add Template tool bar
button on the Registry Auditing page. From this wizard, select the registry key to be audited as
well as the changes to be audited.
The Registry Auditing wizard consists of the following pages:
• Select Registry Key page
• Select Values page (displayed when ‘This Object and Child Objects Only’ option is
selected on first page)
• Select Registry Changes page
Select Registry Key Page
On the first page of the Registry Auditing wizard, enter the following information:
Template Name
Enter a descriptive name for the registry template being created.
Registry Auditing
ChangeAuditor
193
Select the registry key in the HKEY_LOCAL_MACHINE hive
Select the registry key in the HKEY_LOCAL_MACHINE hive to be audited. Use the browse
button, to the far right, to select the type of registry to be browsed to locate the registry key:
•
Browse local registry - select this option to browse the registry for the local
computer
•
Browse remote registry - select this option to browse the registry for a remote
server
NOTE: Make sure that the selected remote computer is on the network, has remote
administration enabled and that both computers are running the remote registry
service. If the remote computer does not allow remote admin access, a
message will be displayed explaining that you need to select a different server.
Scope
Select the appropriate option to specify the scope of coverage:
•
This Object - select this option to audit only this key, not its values or subkeys.
(Default)
•
This Object and Child Objects Only - select this option to audit this key, its values
and direct subkeys only. This is not recursive.
•
This Object and All Child Objects - select this option to audit this key, all subkeys
and all values.
Select Values Page
If you selected the ‘This Object and Child Objects Only’ option on the first page of the wizard,
this page will be displayed allowing you specify whether you want to audit all values or a specific
value for the selected key.
Registry Auditing
194
ChangeAuditor
From this page, select one of the following options:
All Values
Select this option to audit all values for the selected key. (Default)
Specific Value
Select this option to audit a specific value and enter the value to be audited.
After specifying the value(s) to be audited, use the Next button to proceed to the next page of
the wizard.
Select Registry Change Page
On the final page of the Registry Auditing wizard, select (check) all of the types of changes (e.g.
registry key added, registry key deleted) that are to be audited for the selected registry key.
Below is a list of the changes that may be displayed depending on the previous options
selected:
• Binary registry value added (N/A for ‘This Object’ scope)
• Binary registry value changed (N/A for ‘This Object’ scope)
• Binary registry value deleted (N/A for ‘This Object’ scope)
• Numeric registry value added (N/A for ‘This Object’ scope)
• Numeric registry value changed (N/A for ‘This Object’ scope)
• Numeric registry value deleted (N/A for ‘This Object’ scope)
• Registry key added
• Registry key deleted
• String registry value added (N/A for ‘This Object’ scope)
• String registry value changed (N/A for ‘This Object’ scope)
• String registry value deleted (N/A for ‘This Object’ scope)
Registry Auditing
ChangeAuditor
195
Select All
Use the Select All button to select (check) all of the changes listed.
Unselect All
Use the Unselect All button to deselect (uncheck) all of the changes listed.
After specifying the changes to be audited, use the Finish button to create the template, close
the dialog and return to the Registry Auditing page. The registry key and the options defined in
the wizard will be displayed in the templates list box.
Registry Auditing Configuration Dialog
The Registry Auditing Configuration dialog is displayed when you select the Edit button in the
Registry Auditing section on the Configuration Setup dialog. From this dialog, you can create a
new template, remove a template, add or delete a registry path from an existing template, or
modify the options currently selected for auditing.
When expanded, the list box will display the following details about the Registry Auditing
templates currently defined:
• Template Name - name assigned to template when it was created.
• Path - path of the registry key(s) included in the template.
• Scope - scope of coverage.
• Actions - registry changes selected for auditing.
• Value - value selected for auditing.
Registry Auditing
196
ChangeAuditor
Use the buttons across the bottom of this dialog as described below:
Add Template
Use the Add Template button to create a new template, which can then be added to the
selected agent configuration. Selecting this button will launch the Registry Auditing wizard
which will step you through the process of creating a new Registry Auditing template.
Delete Template
When a template is selected in the list box, use the Delete Template button to delete the
selected template.
Add Path
When a template is selected in the list box, use the Add Path button to add an additional
registry key to the selected template. Selecting this button will launch the Registry Auditing
wizard allowing you to specify the additional registry key to be added.
Delete Path
When a registry object is selected in the list box, use the Delete Path button to remove the
selected registry key from the Registry Auditing template.
Edit Path Options
When a registry object is selected in the list box, use the Edit Path Options button to
modify the scope, values, or actions currently selected for auditing for the selected registry
key.
Registry Auditing
ChangeAuditor
197
Chapter 10: SQL Server Auditing
NOTE: SQL Server auditing is ONLY available if you have licensed the ChangeAuditor for
SQL add-on module. Please contact your NetPro sales representative for more
information.
To capture SQL Server audited events, you must first complete the following steps to define the
SQL instances to be audited and the events to be captured:
1. Create a SQL Server Auditing template which specifies the SQL instance(s) and events
to be audited. For more information on creating a template, please refer to Creating SQL
Server Auditing Templates on page 198.
2. Add this template to an agent configuration. For more information on how to add a
template to an agent configuration, please refer to Defining Agent Configurations on
page 218.
3. Assign the agent configuration to NetPro Compliance Agents. For more information on
how to assign an agent configuration to an agent, please refer to Assigning Agent
Configurations to Agents on page 219.
This chapter provides instructions for creating SQL Server Auditing templates, as well as a
description of the SQL Server Auditing page, SQL Auditing wizard and SQL Auditing
Configuration dialog.
SQL Server Auditing
198
ChangeAuditor
Creating SQL Server Auditing Templates
In order to enable SQL Server auditing in ChangeAuditor, you must first create a SQL Server
Auditing template which specifies the SQL instance and SQL Server operations to be audited.
You can then assign this template to an agent configuration, which then needs to be assigned
to the appropriate NetPro Compliance Agents.
To create a template from the SQL Server Auditing page:
1. Use the View | Administration menu command (or F12) to open the Administration
Tasks tab.
2. From the left-hand pane, select SQL Server (under the Auditing heading) to open the
SQL Server Auditing page.
3. Use the Add | Add Template button to launch the SQL Auditing wizard which will step
you through the process of creating a SQL Server Auditing template.
•
From the first page of the wizard, enter a name for the template and select the SQL
instance to be audited. You can audit the default instance or a named instance.
•
On the second page of the wizard select the SQL Server operations (facilities or
event classes) that are to be audited.
4. After specifying the operations to be audited, use the Finish button to create the
template, close the dialog and return to the SQL Server Auditing page. The SQL
instance and operations specified in the wizard will be displayed in the templates list
box.
5. To add another SQL instance to this template, select the template and use the Add |
Add Instance tool bar button. Selecting this button will launch the SQL Auditing wizard
allowing you to specify the SQL instance to be added to the selected template.
6. Once you have defined a SQL Server Auditing template, open the Agent Configuration
page to add this template to an agent configuration.
•
Select the Configurations button to open the Configuration Setup dialog.
•
Select an existing configuration from the list box or use the Add button to create a
new agent configuration.
•
Expand the SQL Server Auditing section and select the Add button. Selecting this
button will display a dialog from which you can select the template to be added to
the selected configuration.
7. After adding the SQL Server Auditing template to an agent configuration, back on the
Agent Configuration page, select this agent configuration and use the Assign button to
assign it to the appropriate NetPro Compliance Agents.
SQL Server Auditing
ChangeAuditor
199
To create a template from the Agent Configuration page:
1. Use the View | Administration menu command (or F12) to open the Administration
Tasks tab.
2. From the left-hand pane, select Agents (under the Configuration heading) to display the
Agent Configuration page.
3. Select the Configurations button to display the Configuration Setup dialog which
contains a list of configuration definitions already defined as well as the means for
creating a new configuration.
4. Select an existing template from the list box or use the Add button to create a new
configuration.
5. Expand the SQL Server Auditing section in the right-hand pane and select the Edit
button which will display the SQL Auditing Configuration dialog.
6. On this dialog, select the Add Template button to launch the SQL Auditing wizard which
will step you through the process of creating a new template.
•
From the first page of the wizard, enter a name for the template and select the SQL
instance to be audited. You can audit the default instance or a named instance.
•
On the second page of the wizard select the SQL Server operations (facilities or
event classes) that are to be audited.
7. After specifying the SQL instance(s) and operations to be audited, use the Finish button
to create the template, close the dialog and return to the SQL Auditing Configuration
dialog.
8. To add another SQL instance to this template, select the template and use the Add
Instance button. Selecting this button will launch the SQL Auditing wizard allowing you
to specify the SQL instance to be added to the selected template.
9. Select OK to close the SQL Auditing Configuration dialog and return to the
Configuration Setup dialog.
10.Back on the Configuration Setup dialog, select this template from the list box and use
the Add button in the SQL Server Auditing section to add this template to the selected
agent configuration. Select OK to save your selection and close the dialog.
11.Back on the Agent Configuration page, select this agent configuration and use the
Assign button to assign it to the appropriate NetPro Compliance Agents.
SQL Server Auditing
200
ChangeAuditor
SQL Server Auditing Page
Select SQL Server (under the Auditing heading) from the navigation pane of the Administration
Tasks tab to display the SQL Server Auditing page. From this page you can launch the SQL
Auditing wizard to specify the SQL instance(s) and the type of changes to be audited. You can
also edit existing templates and remove templates that are no longer being used.
The SQL Server Auditing page contains the following information:
Templates List Box
This list box contains an expandable view of all the SQL Server Auditing templates that
have been previously defined. To add a new template to this list, use the Add | Add
Template tool bar button. Once added, the following information is provided for each
template:
Template Name
This column displays the name assigned to the template when it was created. Click the
expansion box to the left of the Template Name to expand this view and display the
following details for each template:
Instance
This column displays the name of the SQL instance selected on the first page of
the wizard.
NOTE: The Instance cell in the main (topmost) heading is used for filtering data.
This is, as you enter characters into this cell, the client will redisplay only
the SQL instances that contain the character(s) entered, regardless of the
SQL Server Auditing template to which they belong. See Filtering Data in
Expanded Views on page 47 for more information on using this feature.
SQL Server Auditing
ChangeAuditor
201
Operations
This column displays the SQL facilities selected for auditing on the last page of the
wizard. Hover your mouse over this cell to view all of the facilities included and the
number of event classes selected for auditing in each.
Use the tool bar buttons as described below:
Add | Add Template
Use the Add button (or expand the Add button and select the Add Template option) to
create a new SQL Server Auditing template. Selecting this button will launch the SQL
Auditing wizard which will step you through the process of defining the SQL instances and
type of changes to be included in the template.
Add | Add Instance
Expand the Add button and select the Add Instance option to add an additional SQL
instance to the selected template. When this button is selected, the SQL Auditing wizard
will be displayed, allowing you to select the SQL instance to be added and the operations
(event classes) to be audited.
Delete | Delete Template
When a template is selected in the list box, use the Delete button (or expand the Delete
button and select the Delete Template option) to remove the selected template.
Delete | Delete Instance
When an individual SQL instance is selected in the list box, use the Delete button (or
expand the Delete button and select the Delete Instance option) to remove the selected
instance from the template. Note that if you confirm to delete the last instance in the
template, you will also delete the template itself.
Edit Instance Options
Use the Edit Instance Options button to launch the SQL Auditing wizard to modify the
current operations (event classes) selected for auditing in the template.
Print
Use the Print button to send the contents of the SQL Server Auditing page to a designated
printer
Print | Print to File
Expand the Print button and select the Print to File command to save the contents of the
SQL Server Auditing page to a file. This command will display the native Save As dialog
allowing you to specify the file name and location.
Print | Print Preview
Expand the Print button and select the Print Preview command to display the print layout
of the selected page.
Print | Page Setup
Expand the Print button and select the Page Setup command to define the page settings
for printing. Selecting this command will display the native Page Setup dialog allowing you
to define the paper, page orientation and margins.
SQL Server Auditing
202
ChangeAuditor
SQL Auditing Wizard
The SQL Auditing wizard is displayed when you select the Add | Add Template tool bar button
on the SQL Server Auditing page or the Add Template button on the SQL Auditing
Configuration dialog. This wizard steps you through the process of creating a new template,
identifying the SQL instances to be included in the template. You will also use this wizard to
modify a previously defined template.
The SQL Auditing wizard consists of the following pages:
• Select SQL Instance page
• Select Operations page
Select SQL Instance Page
From the first page of the wizard, enter a name for the template and select the SQL instance
that you want to audit.
Template Name
Enter a descriptive name for the SQL Server Auditing template being created.
Select a SQL Instance
Select one of the following options:
Default
This option is selected by default and will use the default SQL instance
(MSSQLSERVER) found on an agent that is using the SQL Server Auditing template.
SQL Server Auditing
ChangeAuditor
203
Named
Select this option to use a named instance instead of the default SQL instance. When
this option is selected, the name field will be activated allowing you to enter a SQL
named instance. Or use the browse button to the right of this field to select from a list
of available servers. Selecting the browse button will display the Select a SQL Instance
dialog which displays a list of available servers.
After providing a template name and specifying a SQL instance, use the Next button to proceed
to the next page.
Select Operations Page
From this page, select the SQL Server operations (event classes) that are to audited on the
selected SQL instance. You must select at least one operation.
Data Grid
The data grid across the top of the page displays all of the SQL event classes available for
auditing. Select/highlight an event class and use the appropriate add option to add either
the individual event class or all events in the selected facility. This grid displays the
following information for each event class:
•
Facility - the facility to which each event class belongs
•
Event Class - the events available for auditing
•
SQL2000 - indicates whether the event class is available in SQL 2000
•
SQL2005 - indicates whether the event class is available in SQL 2005
Add | Add This Event
Click the Add button and select the Add This Event option to add the selected event class
to the Audit list box at the bottom of the page.
SQL Server Auditing
204
ChangeAuditor
Add | Add All Events in Facility
Click the Add button and select the Add All Events in Facility option to add all event
classes in the selected facility to the Audit list box at the bottom of the page.
Remove
Use the Remove button to remove the selected entry from the Audit list box.
Audit List Box
This list box displays the facilities and/or event classes to be included in the selected
auditing template.
After specifying the operations to be audited, use the Finish button to create the template,
close the dialog and return to the SQL Auditing page. The SQL instance and operations
specified in the wizard will be displayed in the templates list box.
Select a SQL Instance Dialog
This dialog is displayed when the browse button on the first page of the SQL Auditing wizard
is selected. From this dialog you can select the SQL instance to be used in the new SQL Server
Auditing template.
SQL Instance
This dialog displays a list of SQL instances which can be selected for auditing. From this
list, select/highlight one instance and then use the OK button to save your selection and
close the dialog.
SQL Server Auditing
ChangeAuditor
205
SQL Auditing Configuration Dialog
The SQL Auditing Configuration dialog is displayed when you select the Edit button in the SQL
Auditing section on the Configuration Setup dialog. From this dialog, you can create a new
template, remove a template, add or delete an instance from an existing template or modify the
operations selected for auditing.
When expanded, the list box will display the following details about the SQL Server Auditing
templates currently defined:
• Template Name - name assigned to template when it was created.
• Instance - name of the SQL instance(s) included in the template.
• Operations - SQL server operations selected for auditing.
Use the buttons across the bottom of this dialog as described below:
Add Template
Use the Add Template button to create a new template, which can then be added to the
selected agent configuration. Selecting this button will launch the SQL Auditing wizard
which will step you through the process of creating a new SQL Server Auditing template.
Delete Template
When a template is selected in the list box, use the Delete Template button to delete the
selected template.
Add Instance
When a template is selected in the list box, use the Add Instance button to add additional
instances to the selected template. Selecting this button will launch the SQL Auditing
wizard allowing you to specify the additional SQL instance to be added.
SQL Server Auditing
206
ChangeAuditor
Delete Instance
When an instance is selected in the list box, use the Delete Instance button to remove the
selected SQL instance from the SQL Server Auditing template.
Edit Instance
When an instance is selected in the list box, use the Edit Instance button to modify the
operations currently selected for auditing for the selected instance.
SQL Server Auditing
ChangeAuditor
207
Chapter 11: Account Exclusion
The Account Exclusion feature allows you to define a list of trusted accounts which are to be
excluded from the ChangeAuditor auditing process. This enables you to exclude change events
generated by accounts that make a large number of changes via scripting or by accounts which
are trusted.
To use the account exclusion feature, you must first complete the following steps to define the
user/computer accounts that can make changes without triggering an audited event in
ChangeAuditor:
1. Create an Excluded Accounts template which specifies the user and/or computer
accounts that are to be excluded from the auditing process. For more information on
creating a template, please refer to Creating Excluded Accounts Templates on
page 208.
2. Add this template to an agent configuration. For more information on how to add a
template to an agent configuration, please refer to Defining Agent Configurations on
page 218.
3. Assign the agent configuration to NetPro Compliance Agents. For more information on
how to assign an agent configuration to an agent, please refer to Assigning Agent
Configurations to Agents on page 219.
This chapter provides instructions for creating Excluded Accounts templates, as well as a
description of the Excluded Accounts page, Excluded Accounts wizard and Account Exclusion
Configuration dialog.
Account Exclusion
208
ChangeAuditor
Creating Excluded Accounts Templates
In order to exclude accounts from ChangeAuditor auditing, you must first create an Excluded
Accounts template which specifies the user or computer accounts that are to be excluded. You
can then add this template to an agent configuration, which then needs to be assigned to the
appropriate NetPro Compliance Agent(s).
To create a template from the Excluded Accounts page:
1. Use the View | Administration menu command (or F12) to open the Administration
Tasks tab.
2. From the left-hand pane, select Account (under the Exclusions heading) to open the
Excluded Accounts page.
3. Use the Add | Add Template button to launch the Excluded Accounts wizard which will
step you through the process of creating an Excluded Accounts template.
•
From the first page of the wizard, enter a name for the template.
•
On the second page of the wizard, select the user or computer accounts that are
to be excluded from ChangeAuditor auditing.
4. After specifying the accounts to be excluded, use the Finish button to create the
template, close the dialog and return to the Excluded Accounts page. The accounts
specified in the wizard will be displayed in the Excluded Accounts Templates list box.
5. To add another account to this template, select the template and use the Add | Add
Account tool bar button. Selecting this button will launch the Excluded Accounts wizard
allowing you to specify the user/computer account to be added to the selected template.
6. Once you have defined an Excluded Accounts template, open the Agent Configuration
page to add this template to an agent configuration.
•
Select the Configurations button to open the Configuration Setup dialog.
•
Select an existing configuration from the list box or use the Add button to create a
new configuration.
•
Expand the Account Exclusions section and select the Add button. Selecting this
button will display a dialog from which you can select the template to be added to
the selected configuration.
7. After adding the Excluded Accounts template to an agent configuration, back on the
Agent Configuration page, select this agent configuration and use the Assign button to
assign it to the appropriate NetPro Compliance Agents.
Account Exclusion
ChangeAuditor
209
To create a template from the Agent Configuration page:
1. Use the View | Administration menu command (or F12) to open the Administration
Tasks tab.
2. From the left-hand pane, select Agents (under the Configuration heading) to display the
Agent Configuration page.
3. Select the Configurations button to display the Configuration Setup dialog which
contains a list of configuration definitions already defined as well as the means for
creating a new configuration.
4. Select an existing template from the list box or use the Add tool bar button to create a
new configuration.
5. Expand the Account Exclusions section in the right-hand pane and select the Edit
button which will display the Account Exclusion Configuration dialog.
6. On this dialog, select the Add Template button to launch the Excluded Accounts wizard
which will step you through the process of creating a new template.
•
From the first page of the wizard, enter a name for the template.
•
On the second page of the wizard, select the user or computer accounts that are
to be excluded from ChangeAuditor auditing.
7. After specifying the account(s) to be excluded, use the Finish button to create the
template, close the dialog and return to the Account Exclusion Configuration dialog.
8. To add another account to this template, select the template and use the Add Account
button. Selecting this button will launch the Excluded Accounts wizard allowing you to
specify the user/computer account to be added to the selected template.
9. Select OK to close the dialog and return to the Configuration Setup dialog.
10.Back on the Configuration Setup dialog, select this template from the list box and use
the Add button in the Account Exclusions section to add this template to the selected
agent configuration.
11.Back on the Agent Configuration page, select this agent configuration and use the
Assign button to assign it to the appropriate NetPro Compliance Agents.
Excluded Accounts Page
Use the Excluded Accounts page to create Excluded Accounts templates that define specific
user and/or computer accounts that are to be excluded from being audited by ChangeAuditor.
Once you have defined an Excluded Accounts template, open the Agent Configuration page to
add this template to an agent configuration, which can then be assigned to NetPro Compliance
Agents.
The Excluded Accounts page is displayed when Account (under the Exclusions heading) is
selected in the navigation pane of the Administration Tasks tab. From this page you can launch
the Excluded Accounts wizard to create a new template. You can also edit existing templates
and remove templates that are no longer being used.
Account Exclusion
210
ChangeAuditor
The Excluded Accounts page consists of the following information:
Templates
This list box contains an expandable view of all the Excluded Accounts templates that have
been previously defined. To add a new template to this list, use the Add tool bar button (or
expand the Add button and select the Add Template option). Once added, the following
information is provided for each Excluded Accounts template:
Template Name
This column displays the name assigned to the Excluded Accounts template when it
was created. Click the expansion box to the left of the Template Name to expand this
view and display the following details about the template:
Type
This column displays the type of account(s) in the selected template (i.e., User or
Computer).
Account
This column displays the name of the account(s) in the selected template.
NOTE: The Account cell in the main (topmost) heading is used for filtering data. That is,
as you enter characters into this cell, the client will redisplay only the accounts
that contain the character(s) entered, regardless of the Excluded Accounts
template to which they belong. See Filtering Data in Expanded Views on
page 47 for more information on using this feature.
Display Name
This column shows the display name assigned to the accounts listed.
Account Exclusion
ChangeAuditor
211
Use the tool bar buttons across the top of this page as described below:
Add | Add Template
Use the Add button (or expand the Add button and select the Add Template option) to
create a new Excluded Accounts template. Selecting this button will launch the Excluded
Accounts wizard where you can specify the user and/or computer accounts to be included
in this template.
Add | Add Account
Expand the Add button and select the Add Account option to add an additional user/
computer account to the selected template. When this button is selected, the Excluded
Accounts wizard will be displayed allowing you to select the account to be added.
Delete | Delete Template
When a template is selected in the list box, use the Delete button (or expand the Delete
button and select the Delete Template option) to remove the selected template from the
list box.
Delete | Delete Account
When an individual account is selected in the list box, use the Delete button (or expand the
Delete button and select the Delete Account option) to remove the selected account from
the template. Note that if you confirm to delete the last account in the template, you will also
delete the template itself.
Print
Use the Print button to send the contents of the Excluded Accounts page to a designated
printer.
Print | Print to File
Expand the Print button and select the Print to File command to save the contents of the
Excluded Accounts page to an Excel (.xls) or Comma Delimited (.csv) file. This command
will display the native Save As dialog allowing you to specify the file name, location and file
type.
Print | Print Preview
Expand the Print button and select the Print Preview command to display the print layout
of the selected page prior to printing it.
Print | Page Setup
Expand the Print button and select the Page Setup command to define the page settings
for printing. Selecting this command will display the native Page Setup dialog allowing you
to define the paper, page orientation and margins.
Account Exclusion
212
ChangeAuditor
Excluded Accounts Wizard
The Excluded Accounts wizard is displayed when you select the Add | Add Template tool bar
button on the Excluded Accounts page or the Add Template button on the Account Exclusion
Configuration dialog. This wizard steps you through the process of creating a new Excluded
Accounts template, identifying the user and/or group accounts to be included in the template.
You will also use this wizard to modify a previously defined Excluded Accounts template.
The Excluded Accounts wizard consists of the following pages:
• Template Name page
• Select Accounts to Exclude page
Template Name Page
On the first page of the wizard, enter a name for the new Excluded Accounts template.
Template Name
Enter a descriptive name for the template.
After entering a name for the template, select Next to continue.
Account Exclusion
ChangeAuditor
213
Select Accounts to Exclude Page
On the second page of the wizard, select the user and/or computer accounts to be included in
the template.
Object Picker
Use the Browse and Search pages to locate and select the user and/or computer accounts
that are to be excluded from ChangeAuditor auditing. Use the Options page to view or
modify the search options or global catalog to be used to retrieve directory objects.
See Using the Object Picker on page 38 for a description of the Browse, Search and
Options pages.
Add
Use the Add button to add the account selected on the Browse or Search page to the
Excluded Accounts list box at the bottom of the page. This button is only available when
a user or computer account is selected in the Browse or Search page.
Remove
Use the Remove button to remove the selected account from the Excluded Accounts
list box. This button is only available when there is an entry in the Excluded Accounts
list box.
Excluded Accounts List Box
The list box located across the bottom of this page, displays the accounts selected for
exclusion.
Account Exclusion
214
ChangeAuditor
After adding the accounts to be included in the template, select Finish to exit the wizard and
return to the Excluded Accounts page. The newly created template with its excluded accounts
will now be listed on the Excluded Accounts page.
Account Exclusion Configuration Dialog
The Account Exclusion Configuration dialog is displayed when you select the Edit button in the
Account Exclusions section on the Configuration Setup dialog. From this dialog, you can create
a new template, remove a template and add or delete accounts from previously defined
templates.
When expanded, the list box will display the following details about the Excluded Accounts
templates currently defined:
• Template Name - name assigned to template when it was created.
• Type - type of account: User or Computer.
• Account - the name of the account.
• DisplayName - the display name for the account, if available.
Use the buttons across the bottom of this dialog as described below:
Add Template
Use the Add Template button to create a new template, which can then be added to the
selected agent configuration. Selecting this button will launch the Excluded Accounts
wizard which will step you through the process of creating a new Excluded Accounts
template.
Delete Template
When a template is selected in the list box, use the Delete Template button to delete the
selected template.
Account Exclusion
ChangeAuditor
215
Add Account
When a template is selected in the list box, use the Add Account button to add additional
account(s) to the selected template. Selecting this button will launch the Excluded
Accounts wizard allowing you to specify the additional account(s) to be added.
Delete Account
When an account is selected in the list box, use the Delete Account button to remove the
selected account from the Excluded Accounts template.
Account Exclusion
ChangeAuditor
217
Chapter 12: Agent Configurations
ChangeAuditor assigns a default configuration to each agent installed, which consists of the
following settings:
• Forwarding Interval: 5 seconds
• Retry Interval: 300 seconds
• Maximum Event per Connection: 500
• Monitor the System Event Log
• Polling interval: 900 seconds
• Allow time for connection: 24 x 7
• Use Direct SQL connection
You can, however, define and assign different agent configurations to each agent. Using agent
configurations you can:
• modify event forwarder settings
• monitor various event logs
• modify agent/repository communication settings, including enabling/disabling direct SQL
connections
• enable File System auditing by adding File System Auditing templates
• enable Registry auditing by adding Registry Auditing templates
• enable SQL Server auditing by adding SQL Server Auditing templates
• exclude accounts from being audited by adding Excluded Accounts templates
This chapter describes the Agent Configuration page and how to perform the tasks associated
with configuring agent settings.
Agent Configurations
218
ChangeAuditor
Defining Agent Configurations
To define a new agent configuration:
1. Use the View | Administration menu command (or F12) to open the Administration
Tasks tab.
2. From the left-hand pane, select Agents (under the Configuration heading) to display the
Agent Configuration page.
3. From the Agent Configuration page, select the Configurations button. This will display
the Configuration Setup dialog, which contains a list of configuration definitions
available as well as the means for creating a new configuration.
4. From this dialog, use the Add button to create a new definition or use the Copy button
to duplicate the configuration selected in the Configurations list box. This will create/add
a new configuration to the list and allow you to name the new configuration and specify
the event forwarder, configuration and communication settings.
5. To add File System auditing to a configuration, expand the File System Auditing section
and select the Add button to display the Select File System Template dialog. Select a
File System Auditing template from the list and click the OK button. This template will
be added to the File System Template list box back on the Configuration Setup dialog.
NOTE: If the Select File System Template dialog is empty, you must first create a File
System template. See Creating File System Auditing Templates on page 172 or
more information on creating templates for File System auditing that can then
be assigned to an agent configuration.
6. To add Registry auditing to a configuration, expand the Registry Auditing section and
select the Add button to display the Select Registry Template dialog. Select a registry
template from the list and click the OK button. This template will be added to the
Registry Template list box back on the Configuration Setup dialog.
NOTE: If the Select Registry Template dialog is empty, you must first create a Registry
template. See Creating Registry Auditing Templates on page 188 for more
information on creating templates for registry auditing that can then be assigned
to an agent configuration.
7. To add SQL Server auditing to a configuration, expand the SQL Server Auditing section
and select the Add button to display the Select SQL Template dialog. Select a template
from the list and click the OK button. This template will be added to the SQL Server
Template list box back on the Configuration Setup dialog.
NOTE: If the Select SQL Template dialog is empty, you must first create a SQL Server
Auditing template. See Creating SQL Server Auditing Templates on page 198
for more information on creating templates for SQL server auditing that can then
be assigned to an agent configuration.
8. To exclude accounts from being audited, expand the Account Exclusions section and
select the Add button to display the Select Excluded Accounts Template dialog. Select
a template from the list and click the OK button. This template will be added to the
Account Exclusions list box back on the Configuration Setup dialog.
Agent Configurations
ChangeAuditor
219
NOTE: If the Select Excluded Accounts Template dialog is empty, you must first create
an Excluded Accounts template. See Creating Excluded Accounts Templates
on page 208 for more information on creating Excluded Accounts templates that
can then be assigned to an agent configuration.
9. Once you have named the configuration, selected the appropriate settings and added
any custom auditing templates, select the OK button to save your configuration and
return to the Agent Configuration page.
Assigning Agent Configurations to Agents
Once agent configurations are defined they can be assigned to one or more installed agents.
Again, use the Agent Configuration page to assign agent configurations to agents.
To assign a configuration to an agent:
1. Use the View | Administration menu command (or F12) to open the Administration
Tasks tab.
2. From the left-hand pane, select Agents (under the Configuration heading) to display the
Agent Configuration page.
3. From the Agent Configuration page, select/highlight one or more agents from the agent
list and select the Assign button. This will display the Select Configuration dialog.
4. From this dialog, select/highlight the configuration definition to be assigned to the
selected agent(s) and select the OK button.
5. The agent configuration assignment will be changed on the Agent Configuration page.
Agent Configuration Page
Use the Agent Configuration page, which is accessible via the Administration Tasks tab to
define and assign agent configurations. The Agent Configuration page is displayed when
Agents (under the Configuration heading) is selected in the explorer view of the Administration
Tasks tab.
Agent Configurations
220
ChangeAuditor
The Agent Configuration page contains a list of servers that contain NetPro Compliance Agents
and the configuration definition assigned to each. From this page, you can perform the following
tasks:
• create a new configuration definition
• assign a configuration definition to an agent
• remove a configuration from an agent
The Agent Configuration page consists of the following information for each agent deployed:
Agent
This column displays the name of the server that hosts a NetPro Compliance agent.
Domain
This column displays the name of the domain where the server resides.
Configuration
This column displays the name of the configuration definition assigned to each agent listed.
File System
This column indicates whether a File System Auditing template is included in the assigned
configuration definition.
Registry
This column indicates whether a Registry Auditing template is included in the assigned
configuration definition.
SQL
This column indicates whether a SQL Server Auditing template is included in the assigned
configuration definition.
Exclude Account
This column indicates whether an Excluded Accounts template is included in the assigned
configuration definition.
Use the tool bar buttons across the top of this page as described below:
Configurations
Use the Configurations button to display the Configuration Setup dialog, which contains
a list of configuration definitions. From the Configuration Setup dialog you can add, edit or
delete configuration definitions.
Assign
Use the Assign button to display the Select Configuration dialog, where you can select the
configuration definition to be used for the selected agent. At least one agent must be
selected/highlighted to activate this button.
Default All
Use the Default All button to reset all agent configurations back to the default
configuration. A message will be displayed confirming you want to reset ALL agent
configurations.
Agent Configurations
ChangeAuditor
221
Configuration Setup Dialog
The Configuration Setup dialog is displayed whenever the Configurations tool bar button on
the Agent Configuration page is selected. From this dialog, you can review the settings
established for existing agent configurations, define new agent configurations and remove
obsolete agent configurations.
Configuration list box
The list box, to the far left of the dialog, displays the agent configuration definitions
available. Use the buttons located beneath this list box to add, make a copy, and/or remove
agent configurations.
Add
Use the Add button to create a new configuration definition. When this button is
selected, a new configuration will be added to the list where you can then enter a new
name for your configuration. In addition, the settings on this dialog will be activated
allowing you to specify the appropriate configuration settings. After entering the
configuration settings, select OK to save the new configuration.
Copy
Use the Copy button to use the selected configuration definition as a basis for a new
configuration. When this button is selected, a new configuration will be added to the list
where you can then enter a name for the copied configuration. The current
configuration settings can also by modified as necessary. After entering a name and
modifying any of the configuration settings, select OK to save the new configuration.
Agent Configurations
222
ChangeAuditor
Remove
Use the Remove button to remove the selected configuration definition from the list.
Select/highlight the configuration to be removed from the Configuration list box and
select the Remove button. This button is not available for the Default Configuration.
The fields to the right of the Configuration Setup page are populated with the settings assigned
to the configuration selected in the list box (left-hand pane). To define a new configuration or
modify an existing configuration, enter the requested information as described below:
Configuration Name
This read-only field displays the name of the configuration selected in the list box. When
the Add button is selected, this field will display ‘Config Created <current date/time>’. When
the Copy button is selected, this field will display ‘Copy of <configuration>’. To change the
name of a new or copied configuration, place your cursor in the Configuration list box to
rename the selected configuration.
Event Forwarder Settings
Use the double-arrow controls to the far right of this section title bar to either collapse and
hide the settings or to expand and show the settings in a particular section.
NOTE: If you enter an invalid value (smaller than the minimum or larger the maximum)
a red flashing symbol will display next to the field.
Forwarding Interval (seconds)
This setting determines how often an agent will forward audited events to the
repository. By default, every 5 seconds an agent forwards all of the audited events
stored in the local queue (agent’s database) to the repository. Use the arrow controls
to increase this value. Valid range: 5 - 60 seconds.
Max events per connection
By default, a maximum of 500 events will be sent to the repository per connection. Use
the arrow controls to increase or decrease this number. Valid range: 100 - 9999.
Retry Interval (seconds)
This setting determines how often an agent will resend all unacknowledged events if it
does not receive an immediate acknowledgment from the repository. By default, if an
agent does not receive an immediate acknowledgment from the repository for the
audited events being transmitted, the agent will resend all unacknowledged events
after five minutes (300 seconds) from the previous attempt. Use the arrow controls to
increase or decrease this value. Valid range: 60 - 600 seconds.
Configuration
Use the double-arrow controls to the far right of this section title bar to either collapse and
hide the settings or to expand and show the settings in a particular section.
Monitor the Application Event Log
Select (check) this check box to monitor the Application Event log.
NOTE: If you disable (uncheck) this setting, ChangeAuditor will not be able to report
Exchange Server store mount and dismount events.
Agent Configurations
ChangeAuditor
223
Monitor the Security Event Log
Select (check) this check box to monitor the Security Event log.
NOTE: If you disable (uncheck) this setting, ChangeAuditor will not be able to display
accurate who information or any client location for the following events: User
badPasswordTime Changed, User Password Changed, Logon Audit Received,
User Account Locked, and User Account Unlocked. Also, Security Log Full and
Cleared events will not be reported.
Monitor the System Event Log
This check box is selected by default indicating the ChangeAuditor is to monitor the
System Event log.
NOTE: If you disable (uncheck) this setting, ChangeAuditor will not be able to display
the who information for the NT Service events (Service Started, Service
Stopped, Service Paused and Service Resumed). Also, detection of Exchange
Information Store re-starts will be less responsive, possible resulting in missed
Exchange events.
Polling Interval (seconds)
This setting determines how often the agent will check to determine if there have been
any modifications to the agent's configuration. The default is 900 seconds (15 minutes).
Use the arrow controls to increase or decrease this value. Valid range: 60 - 9999
seconds.
Communication
Use the double-arrow controls to the far right of this section title bar to either collapse and
hide the settings or to expand and show the settings in a particular section.
Allowed time for connection
By default, events are collected and forwarded to a repository 24x7 (all seven days a
week, 24 hours a day). To exclude a particular day of the week from the forwarding
process, click the appropriate check box to remove the check mark.
From/To
By default, events are forwarded from 12:00 a.m. to 11:59 p.m. Use the arrow controls
to specify a different time range.
Direct SQL Connection
This check box is checked by default and instructs the agent to forward its audited
events directly to the SQL database, rather than going through the ChangeAuditor
repository service. This is the recommended connection method for increased
performance in high volume audit event environments. However, using this option does
require the appropriate Microsoft SQL licensing.
Agent Configurations
224
ChangeAuditor
File System Auditing
Use the double-arrow controls to the far right of this section title bar to either collapse and
hide the settings or to expand and show the settings in a particular section.
Template list box
This list box contains the file system template(s) to be included in the selected agent
configuration. Use the buttons to the right of this list box to add, remove or edit
templates in this list.
Add
Use the Add button to add a file system template to the list box. This will display the
Select File System Template dialog allowing you to select from a list of templates
available.
Remove
Use the Remove button, located to the right of the list box, to delete the selected
template from the Template list box. Select/highlight the template to be removed and
select the Remove button.
Edit
Use the Edit button to modify an existing template or to create a new template.
Selecting this button will display the File Auditing Configuration dialog where you can
add or remove an auditing template; and add, delete or edit a file path in an existing
template.
For a detailed description of the File Auditing Configuration dialog, please refer to File
Auditing Configuration Dialog on page 185.
Registry Auditing
Use the double-arrow controls to the far right of this section title bar to either collapse and
hide the settings or to expand and show the settings in a particular section.
Template list box
This list box contains the registry template(s) to be included in the selected agent
configuration. Use the buttons to the right of this list box to add or remove templates
from this list.
Agent Configurations
ChangeAuditor
225
Add
Use the Add button to add a registry template to the list box. This will display the Select
Registry Template dialog allowing you to select from a list of templates available.
Remove
Use the Remove button, located to the right of the list box, to delete the selected
template from the Template list box. Select/highlight the template to be removed and
select the Remove button.
Edit
Use the Edit button to modify an existing template or create a new template. Selecting
the button will display the Registry Auditing Configuration dialog where you can add or
remove an auditing template; and add, delete or edit the options for a registry object in
an existing template.
For a detailed description of the Registry Auditing Configuration dialog, please refer to
Registry Auditing Configuration Dialog on page 195.
SQL Server Auditing
Use the double-arrow controls to the far right of this section's title bar to either collapse and
hide the settings or to expand and show the settings in this particular section.
Template list box
This list box contains the SQL Server Auditing template(s) to be included in the
selected agent configuration. Use the buttons to the right of this list box to add or
remove templates from this list.
Add
Use the Add button to add a SQL Server Auditing template to the list box. This will
display the Select SQL Template dialog allowing you to select from a list of templates
available.
Remove
Use the Remove button, located to the right of the list box, to delete the selected
template from the Template list box. Select/highlight the template to be removed and
select the Remove button.
Edit
Use the Edit button to modify an existing template or create a new template. Selecting
this button will display the SQL Auditing Configuration dialog where you can add or
remove an auditing template; and add, delete or edit the options for a SQL instance in
an existing template.
Agent Configurations
226
ChangeAuditor
For a detailed description of the SQL Auditing Configuration dialog, please refer to SQL
Auditing Configuration Dialog on page 205.
Account Exclusions
Use the double-arrow controls to the far right of this section's title bar to either collapse and
hide the settings or to expand and show the settings in this particular section.
Template list box
This list box contains the Excluded Accounts template(s) to be included in the selected
agent configuration. Use the buttons to the right of this list box to add or remove
templates from this list.
Add
Use the Add button to add an Excluded Accounts template to the list box. This will
display the Select Excluded Account Template dialog allowing you to select from a list
of templates available.
Remove
Use the Remove button, located to the right of the list box, to delete the selected
template from the Template list box. Select/highlight the template to be removed and
select the Remove button.
Edit
Use the Edit button to modify an existing template or create a new template. Selecting
this button will display the Account Exclusion Configuration dialog where you can add
or remove an auditing template; and add or delete an account from an existing
template.
For a detailed description of the Account Exclusion Configuration dialog, please refer
to Account Exclusion Configuration Dialog on page 214.
Restore to Default
Use the Restore to Default button to reset any changed settings back to the factory
defaults for the Default Configuration. This button is only available when the Default
Configuration is selected in the Configurations list box.
Agent Configurations
ChangeAuditor
227
Select Template Dialogs
A Select Template dialog is displayed whenever the Add button under one of the following
expanded auditing sections on the Configuration Setup dialog is selected:
• Select File System Template dialog - used for selecting one or more File System
Auditing templates
• Select Registry Template dialog - used for selecting one or more Registry Auditing
templates
• Select SQL Template dialog - used for selecting one or more SQL Server Auditing
templates
• Select Excluded Account Template dialog - used for selecting one or more Excluded
Accounts templates
This dialog contains a list of the templates defined that can be added to agent configurations.
After selecting a template from this list, use the OK button to add the template and close the
dialog. Back on the Configuration Setup dialog, the template will be displayed in the
corresponding template list box. Once a template is added to an agent configuration, you must
then assign the agent configuration to the appropriate NetPro Compliance Agent(s) to enable
the custom auditing defined in the template.
If the Select Template dialog is empty you must first create a template to define the custom
auditing to take place. For more information on creating templates, please refer to the following
topics:
•
Creating File System Auditing Templates on page 172
•
Creating Registry Auditing Templates on page 188
•
Creating SQL Server Auditing Templates on page 198
•
Creating Excluded Accounts Templates on page 208
Agent Configurations
228
ChangeAuditor
Select Configuration Dialog
The Select Configuration dialog is displayed whenever the Assign tool bar button on the Agent
Configuration page is selected.
This dialog contains a list of the agent configurations defined that can be assigned to NetPro
Compliance Agents. After selecting an agent configuration from this list, use the OK button to
save the agent configuration assignment and close the dialog. Back on the Agent Configuration
page, the new configuration assignment will be displayed in the Configuration column for the
selected agent.
Agent Configurations
ChangeAuditor
229
Chapter 13: Repository Configuration
The Repository Configuration page is displayed when Repository (under the Configuration
heading) is selected in the explorer view of the Administration Tasks tab. This page consists of
two major sections:
• SMTP Configuration - for enabling and configuring email alerting
• Group Membership Expansion - for defining how to expand groups when using them
for the Who search criteria and when using a consolidated database
Configuring Email Notifications
In order to dispatch configuration change alerts through email (SMTP) you must enable email
notification on the Repository Configuration page.
NOTE: The settings set on this page are global settings and will apply to all alert emails. You
can, however, override the reply to, subject line, signature and body content for
individual alerts using the settings on the Alert tab (Search Properties tabs).
NOTE: ChangeAuditor sends alerts through a single SMTP (email) relay configuration even
when multiple repositories are configured. That is, all repositories will use the same
mail server for sending alert notifications.
To enable and configure email notifications:
1. Use the View | Administration menu command (or F12) to open the Administration
Tasks page.
2. From the left-hand pane, select Repository (under the Configuration heading) to open
the Repository Configuration page.
3. On the SMTP Configuration pane, select (check) the Enable SMTP for Alerts option to
enable email alert notifications. Checking this option will activate the remaining fields on
this page to configure and customize alert emails. Enter the following information:
• Mail Server
• From Address
Repository Configuration
230
ChangeAuditor
• Reply To
• Subject Line
4. Select the appropriate option to have the email notification sent in plain text format
(default) or HTML format.
5. Optionally, select the Configure Body button to launch the Alert Body Configuration
dialog where you can define the content of the main body, the event details and the
signature to be included in your alert emails. After configuring the alert body, select OK
to return to the Repository Configuration page.
6. If the specified mail server requires authentication, select (check) the My Server
Requires Authentication option and enter the account information.
7. Select the Test SMTP tool bar button to test the mail server configuration.
8. Once the mail server configuration is verified, select the Apply Changes tool bar button
to save the configuration.
9. Now that SMTP alerting is enabled and configured, you can enable email alerts for
individual search definitions.
Customizing Email Content
In addition to the customizable fields (Reply To, Subject Line and Signature) on the Repository
Configuration dialog, you can use the Configure Body button to define the content to be used
in the main body of your alert emails as well as the event details to be included.
1. Select the Configure Body button to display the Alert Body Configuration dialog.
2. On the Alert Body Configuration dialog, select the appropriate option to edit either the
Plain Text (default) or the HTML representation of the alert emails.
3. Use the top pane to enter the text to be included and define the overall layout of the alert
body. You can also use the Show Variables and Add Variable buttons to insert a
selected variable into the main body of your alert email.
4. Use the middle pane to specify the event details to be included. That is, you can
rearrange the entries, remove entries, or modify text, etc. You can also use the Show
Variables and Add Variable buttons to insert a selected variable into the event details
of your alert email.
NOTE: Do NOT modify the blue text surrounded by percent signs (e.g.,
%EVENT_USER_NAME%). These are tags which represent actual data
retrieved from the ChangeAuditor event that triggered the alert. See Appendix
A: ChangeAuditor Email Tags on page 257 for more information on these tags
and the data retrieved by each.
5. Use the bottom pane to enter the signature line to be added to alert emails.
6. After you have entered the body content and defined the event details and signature line
to be included, select the Preview button to view a sample email using your defined
format and content.
7. Once defined, use the OK button to save your settings and close the Alert Body
Configuration dialog.
Repository Configuration
ChangeAuditor
231
SMTP Configuration Pane
ChangeAuditor can generate alerts when certain kinds of configuration changes occur. If an
audited event matches all of the criteria defined and alerting is enabled, ChangeAuditor
dispatches the alert via email (SMTP), SNMP or WMI events, as defined on the Alert search
properties tab.
NOTE: SMTP, SNMP and/or WMI must be configured to receive ChangeAuditor alerts
BEFORE any alert notifications will be sent. To enable and configure SMTP alerting,
please refer to Enabling/Disabling Alerts on page 65.
Enable SMTP for Alerts
Select (check) this option to enable email alert notifications. Checking this option will
activate the remaining fields on this page to customize alert emails. The settings set on this
page are global settings and will apply to all alert emails. You can, however, override the
reply to, subject line, signature and body content for individual alerts using the settings on
the Alert tab (Searches Properties tabs).
Mail Server
When email alert notification is enabled, enter the name or IP address of the mail server in
this text box.
NOTE: ChangeAuditor sends alerts through a single SMTP (email) relay configuration
even when multiple repositories are configured. That is, all repositories will use
the same mail server for sending alert notifications.
From Address
This field displays the address where the email message will originate.
Reply To
Enter the address where replies to alert emails are to be sent.
Repository Configuration
232
ChangeAuditor
Subject Line
Enter a customized subject line to replace the default text in the subject line. The default
subject line contains the following information:
ChangeAuditor %Alert_Type% from %Alert_Repository_Name%: %Alert_Name%
Where: %Alert_Type% is either "Alert" or "Smart Alert"
%Alert_Repository_Name% is the name of the repository generating the alert
%Alert_Name% is the name of the alert that fired
Select the button to the far right of the Subject Line to select the variable to be inserted into
the subject line or to reset it back to the default content.
Insert Variable
Expand the Insert Variable option to insert a variable into the subject line:
• ALERT_NAME
• ALERT_TYPE
• ALERT_REPOSITORY_DOMAIN
• ALERT_REPOSITORY_NAME
• BATCH_ID
• EVENT_COUNT
• SMART_ALERT
• SMART_ALERT_GROUPING
• SMART_ALERT_OCCURRENCE
• SMART_ALERT_PERIOD
• SMART_ALERT_PERIOD_UNIT
Restore to Default
Use the Restore to Default option to reset the subject line back to the default content.
That is, remove any variables that were inserted.
Send Plain-Text Email
Select this option to have the email notification sent in plain text format. (Default)
Send HTML Email
Select this option to have the email notification sent in HTML format.
Configure Body
Select this button to launch the Alert Body Configuration dialog where you can define the
content of the main body, the event details and the signature to be included in your alert
emails.
My Server Requires Authentication
Select (check) this option if the specified mail server requires authentication and enter the
account information as described below.
Repository Configuration
ChangeAuditor
233
Account Name
Enter the account name required to authenticate to the specified mail server.
Password
Enter the password associated with the server name entered above.
Alert Body Configuration Dialog
The Alert Body Configuration dialog is displayed when the Configure Body button is selected
on the Repository Configuration page or the Alert Custom Email dialog. (The Alert Custom
Email dialog is launched when you select the Configure Email button on the Alert Search
properties page.)
When accessed through the Repository Configuration page, these settings will apply globally
to all alert emails. However, when accessed through the Alert Custom Email dialog, these
settings will apply to the selected alert only.
Repository Configuration
234
ChangeAuditor
The Alert Body Configuration dialog allows you to edit the Plain Text and the HTML
representation of alert emails. It consists of the following panes:
• Main Body - the top pane is for defining the overall content and layout of the alert body
• Event Details - the middle pane is for defining the details to be included for each event
included in the alert email
• Signature - the bottom pane is for defining the signature line to be added to the alert
email
NOTE: When verifying your edits, please remember, email tags (whether entered manaully
or selected from the list), will always be represented in blue. Black text within your alert
will be taken literally and will be displayed as entered.
Main Body
In the Main Body text box (top pane), enter the text to be included in the main body of alert
emails.
NOTE: The event details defined in the Event Details pane are placed in the Main Body pane
using the following tag: %EVENT_DETAILS%. This tag should NOT be removed from
this pane if you want to include event details in alert emails.
Use the Global Main Body
Select (check) this check box to use the global settings for the main body of the selected
alert. This check box is only available when defining individual alert email content. That is,
when this dialog is accessed through the Alert Custom Email dialog. (The Alert Custom
Email dialog is launched when you select the Configure Email button on the Alert Search
Properties tab.)
Show Variables
Select the Show Variables button to display the list of variables available for inclusion in
the Main Body. This button is only enabled when the Use the Global Main Body check
box is not checked.
Repository Configuration
ChangeAuditor
235
Hide Variables
Use the Hide Variables button to collapse and hide the Variables list from the Alert Body
Configuration dialog.
Add Variable
Use the Add Variable button to add the selected variable to the Main Body text box. The
selected variable will be inserted at the point where your cursor is located. This button is
only available when the Variables list is being displayed.
You can also double-click a variable from the list to add it to the Main Body text box.
Event Details
The Event Details text box (middle pane) defines the event details to be included in alert emails.
From this text box, you can edit the default event details file (e.g, rearrange the entries, remove
entries, modify text, etc.) to define how event details are to be presented in alert emails.
NOTE: Do not modify the blue text enclosed in percent signs (e.g.,
%EVENT_USER_NAME%). These are tags which represent actual data retrieved
from the ChangeAuditor event that triggered the alert. See ChangeAuditor Email Tags
for more information on the use of these tags and the data retrieved by each.
Use the Global Event Details
Select (check) this check box to use the global settings for the event details of the selected
alert. This check box is only available when defining individual alert email content. That is,
when this dialog is accessed through the Alert Custom Email dialog. (The Alert Custom
Email dialog is launched when you select the Configure Email button on the Alert Search
Properties tab.)
Show Variables
Select the Show Variables button to display the list of variables available for inclusion in
the Event Details. This button is only enabled when the Use the Global Event Details
check box is not checked.
Repository Configuration
236
ChangeAuditor
Hide Variables
Use the Hide Variables button to collapse and hide the Variables list from the Alert Body
Configuration dialog.
Add Variable
Use the Add Variable button to add the selected variable to the Event Details text box. The
selected variable will be inserted at the point where your cursor is located. This button is
only available when the Variables list is being displayed.
You can also double-click a variable from the list to add it to the Event Details text box.
Signature
The Signature text box (bottom pane) defines the content of the signature line to be used in alert
emails.
Use the Global Signature
Select (check) this check box to use the global settings for the signature of the selected
alert. This check box is only available when defining individual alert email content. That is,
when this dialog is accessed through the Alert Custom Email dialog. (The Alert Custom
Email dialog is launched when you select the Configure Email button on the Alert Search
Properties tab.)
Plain Text
Select this option to use plain text format for editing and displaying the content of alert
emails.
HTML
Select this option to use HTML format for editing and displaying the content of alert emails.
Restore to Default
Select the Restore to Default button to reset all of the alert content back to the factory
default settings.
Preview
After you have defined the body content, event details and signature to be included, use
the Preview button to view a sample email using the defined format.
OK | Cancel
Use the OK button to save your selections and close the dialog. Use the Cancel button to
close the dialog without saving your selections.
Repository Configuration
ChangeAuditor
237
Group Membership Expansion Pane
The bottom pane of the page contains options which allow you to define the schedule for
expanding nested membership of Active Directory groups that are referenced in Searches
(Who search criteria) or groups that are defined in the Member of Group feature. Group
membership will be recursively enumerated in order to determine nested group membership.
This feature is also utilized by NetPro Business Insight to import user and group relationships
for analytical reporting.
This pane is collapsed by default, therefore, you must use the click in the heading to expand
the pane to view/set the group membership expansion options.
Select the groups to expand
Select one of the following options to define how you want to expand groups:
Expand all groups
This expands all groups in the forest. Use this only if you are using SSIS and need the
freedom to make requests for any group in the forest.
Expand groups that are referenced in existing queries
ChangeAuditor must expand all groups in queries in order to get their membership.
With the membership, the events for the groups can be retrieved. This is always done
and cannot be disabled.
Repository Configuration
238
ChangeAuditor
Expand groups that are referenced in existing queries and selected groups (default)
In addition to the groups referenced in existing queries, you have the ability to select
other groups. This would be useful when you have groups that need expansion for
SSIS database requests, but you do not want to burden your production system with
expanding all groups in the environment.
Group Membership Expansion list box
The Group Membership Expansion list box is only available when the Expand groups that
are referenced in existing queries and selected groups option is selected and displays
a list of the groups to be expanded. Use the Add button to add groups to this list box and
use the Remove button to remove groups from the list box.
Add
Use the Add button to add groups to the group membership expansion list. Selecting
this button will display the Select one or more Directory Objects dialog allowing you to
locate and select the groups to be added.
See Using the Object Picker on page 38 for a description of the Browse, Search and
Options pages. Note that the Find field on this dialog will display Group and cannot be
changed.
Remove
Use the Remove button to remove the selected group from the group membership
expansion list.
Select the refresh frequency
Refresh group membership every nnn minutes
By default, group membership will be refreshed every 360 minutes. Use the arrow
controls to increase or decrease this value.
Number of groups to expand every 5-minute cycle
By default, 20 groups will be expanded every 5-minute cycle. Use the arrow controls to
increase or decrease this value.
Refresh the list of expanded groups every nnn minutes
By default, the group membership expansion list is refreshed every 180 minutes. Use
the arrow controls to increase or decrease this value.
Use the tool bar buttons across the top of this page as described below:
Apply Changes
Use the Apply Changes button to save your repository configuration.
Test SMTP
Use the Test SMTP button to test the configuration information entered. Selecting this
button will generate an test email to the specified mail server.
Test SNMP
Use the Test SNMP button to test the configuration information entered. Selecting this
button will generate a test SNMP trap.
Repository Configuration
ChangeAuditor
239
Chapter 14: Database Maintenance
ChangeAuditor provides the ability to archive or 'save' data to an offline database for long term
storage and to optionally purge or 'delete' data from the live production database. You will use
the Database Maintenance page on the Administration Tasks tab to define the database
maintenance to be performed as well as a schedule for checking the production database to
determine if it is ready for maintenance.
NOTE: The database maintenance feature uses the SQL Server Agent to perform the
designated maintenance activities, therefore users must have the proper permissions
to add or modify SQL Server Agent jobs to use this feature. That is, users must be a
member of one of the following roles in order to use the database maintenance
feature:
• sysadmin fixed server role - has full access to SQL Server Agent
• SQLAgentOperatorRole fixed database role (resides in the msdb database) most privileged of the database roles
• SQLAgentUserRole fixed database role (resides in the msdb database)- least
privileged of the database roles
Database Maintenance
240
ChangeAuditor
Defining Database Maintenance Activities
NOTE: There can only be one maintenance schedule defined at a time.
To define database maintenance:
1. Use the View | Administration menu command (or F12) to open the Administration
Tasks tab.
2. From the left-hand pane, select Purge/Archive (under the Configuration heading) to
open the Database Maintenance page.
3. Use the Add tool bar button to launch the Database Maintenance wizard to define a new
maintenance schedule.
4. On the first page of the wizard, select the type of database maintenance to be
performed: Archive Only, Purge Then Archive or Purge Only.
5. If the ‘Purge then Archive’ or ‘Purge Only’ options are selected on the first page, the
Select Purge Options page will be displayed allowing you to choose the records to be
deleted from the production database.
6. If the ‘Archive Only’ or ‘Purge then Archive’ options are selected on the first page, the
Select Archive Options page will be displayed allowing you to choose the records to be
moved from the production database to the archive database and the size of the archive
database.
7. The last page of the wizard allows you to define when the database is to be checked to
determine if it meets the archive/purge requirements defined. If it does, the selected
records will be archived/purged as defined. If it does not, no action will be taken.
8. Once defined, the Database Maintenance page will display the details regarding the
database maintenance schedule.
To edit a maintenance schedule:
1. On the Database Maintenance page, select the Edit tool bar button.
2. This will launch the Database Maintenance wizard allowing you to modify the current
maintenance settings.
To delete a maintenance schedule:
1. On the Database Maintenance page, select the Delete tool bar button.
2. When prompted, confirm that you want to delete the database maintenance schedule.
To disable a maintenance schedule or re-enable a disabled schedule:
1. On the Database Maintenance page, select the Disable tool bar button.
2. When a schedule is disabled, it will be grayed out on the Database Maintenance page
and no maintenance activities will take place.
3. To enable a previously disabled maintenance schedule, select the Enable tool bar
button.
Database Maintenance
ChangeAuditor
241
Database Maintenance Page
Once a database maintenance schedule is defined, the Database Maintenance page will
display the following details:
Database Maintenance
This field defines the type of database maintenance to be performed: Archive Only, Purge
then Archive, or Purge Only.
Purge Options
If applicable, this section will display the purge options selected when the database
maintenance schedule was defined:
•
Purge data older than
•
The records to be purged
Archive Options
If applicable, this section will display the archive options selected when the database
maintenance schedule was defined:
•
Archive data older than
•
Take archive offline by
Scheduling
This section displays when the production database is to be checked to determine if
maintenance is to be performed:
•
Start time
•
How often to check the database
Database Maintenance
242
ChangeAuditor
Use the tool bar buttons across the top of the page as described below:
Add
Use the Add button to launch the Database Maintenance Wizard to define a new
maintenance schedule.
NOTE: There can only be one maintenance schedule defined at a time.
Edit
Use the Edit button to modify the settings defined in the database maintenance schedule.
Selecting this button will display the Database Maintenance Wizard allowing you to modify
the maintenance options.
Delete
Use the Delete button to delete the database maintenance schedule.
Enable
Use the Enable button to enable a previously disabled maintenance schedule.
Disable
Use the Disable button to disable the maintenance schedule. When a schedule is disabled,
it will be grayed out on the Database Maintenance page.
Database Maintenance
ChangeAuditor
243
Database Maintenance Wizard
The Database Maintenance wizard is launched when you select the Add tool bar button from
the Database Maintenance page on the Administration Tasks page. The Database
Maintenance wizard consists of the following pages:
• Select Maintenance Action
• Select Purge Options
• Select Archive Options
• Schedule Database Maintenance
Select Maintenance Action Page
On the first page of the wizard, select one of the following options to define the type of database
maintenance to be performed:
Archive Only
Use this option to move audit records from the production database to an online archive
database.
Purge then Archive
Use this option to delete records from the production database, then move records from the
production database to an archive database.
Purge Only
Use this option to delete audit records from the production database.
Database Maintenance
244
ChangeAuditor
Select Purge Options Page
If the ‘Purge then Archive’ or ‘Purge Only’ options are selected on the first page, the Select
Purge Options page will be displayed allowing you to choose the records to be deleted from the
production database.
Purge all records older than
This option is only available when the Purge Only option is selected. Select this option to
purge all records from the production database and use the controls to specify how old the
records are to be before they are purged. Valid options include:
•
<nn> Calendar Weeks
•
<nn> Calendar Months
•
<nn> Calendar Quarters
•
<nn> Calendar Years
Purge selected records older than
Select this option to purge only selected records from the production database. Use these
controls to specify how old the records are to be before they are purged. Valid options
include:
•
<nn> Calendar Weeks
•
<nn> Calendar Months
•
<nn> Calendar Quarters
•
<nn> Calendar Years
Database Maintenance
ChangeAuditor
245
After selecting a value and calendar interval, use the following check boxes to define the
records to be purged:
•
Events detected on a specific agent(s)
•
Events of a specific Event Class or Facility
•
Events detected on a specific domain(s)
•
Events created by a specific user(s) or group(s) of users
Selecting (checking) any of these options will add a link to the selection list box, which when
selected will launch a dialog allowing you to specify the records to be purged from the
production database. Once you have selected the specific records to be purged, the link
will be replaced with the record selected for purging.
After you have selected the 'older than' interval and the records to be purged, select the Next
button to proceed with defining your database maintenance schedule.
Select Archive Options Page
If the ‘Archive Only’ or ‘Purge then Archive’ options are selected on the first page, the Select
Archive Options page will be displayed allowing you to choose the records to be moved from
the production database to the archive database and the size of the archive database.
Archive data older than
Use these controls to define what is to be retained in the production database. By default,
the production database will retain 90 calendar day's worth of data after the archive occurs.
The options that can be used to define this include:
•
<nn> Calendar Days (default)
•
<nn> Calendar Weeks
Database Maintenance
246
ChangeAuditor
•
<nn> Calendar Months
•
<nn> Calendar Quarters
•
<nn> Calendar Years
Save archives by
Use this control to define the amount of data that is to be retained in the archive database.
By default, the archive database will contain one calendar month's worth of data. Other
options are calendar year and calendar quarter.
Schedule Database Maintenance Page
The last page of the wizard allows you to define when the database is to be checked to
determine if it meets the archive/purge requirements defined. If it does, the selected records will
be archived/purged as defined. If it does not, no action will be taken.
Check every
Use these controls to define the schedule for checking the database. By default, the
database will be checked every day. Other options include:
•
<nn> weeks
•
<nn> months
Start Time
Use this control to define a start time for the database maintenance tasks to be performed.
Default start time is 12:00:00 A.M.
Database Maintenance
ChangeAuditor
247
Chapter 15: Generating and Publishing Reports
Presenting audited information in a professional, concise and effective way is clearly as critical
as gathering it in the first place. Thus, ChangeAuditor leverages Microsoft SQL Server
Reporting Services (SRS) to provide reports that can be viewed from the ChangeAuditor client
or published to SRS.
This reporting flexibility allows organizations to granularly discern which business units see
which types of data and also to set custom criteria for the types of information shared in the
report. For example, Administrators could pull reports highlighting how many times a particular
event or category of events occurred in the last 30 days or provide a more detailed accounting
to articulate who made the changes, how many times, and the before and after values
associated with those changes. Whether for operations insight or security reporting for
management, ChangeAuditor provides reports that streamline reporting to meet any
requirement.
Generating and Publishing Reports
248
ChangeAuditor
Generating/Viewing Reports through the ChangeAuditor Client
ChangeAuditor allows you to generate and view an SRS rendering of the audited events
returned for a selected search definition or built-in report, which includes all of the Security and
Compliance reports provided with the product. In addition, ChangeAuditor provides the
following built-in SRS reports that can also be viewed through the ChangeAuditor Client:
• Event Summary - event summary reports capture the event counts and can be grouped
by event class, date and hour, or domain and server.
• Event Analysis - event analysis reports can be run to show the event activity of a server
or a domain.
• File Monitoring - the file monitoring report captures information about custom file
monitoring events.
Since all of these reports can be viewed directly from the ChangeAuditor Client, they do NOT
require SRS. When you run one of these reports, the SQL rendering will be displayed in a new
Report page, where you can then scroll through, print or export the report.
To generate/view an SRS rendering of a search or built-in report definition:
1. Open the Searches page (F10 or View | Searches menu command).
2. Expand the Private and Shared folders in the Explorer view to locate a search or builtin report. Select the search from the Search list box in the right-hand pane, right-click
and select Run Local Report.
3. A new Report page will be created displaying the SRS rendering of the audited events
that met the selected search/report definition.
4. Use the tool bar buttons across the top of the report to scroll through the report, print the
report, etc.
To generate a built-in SRS report:
1. Open the Searches page (F10 or View | Searches menu command).
2. Expand the Built-in SRS Reports folder in the Explorer view to locate a built-in SRS
report. Select the report from the Search list box in the right-hand pane, right-click and
select Run Local Report (or double-click on the report).
3. The Report Options dialog will be displayed allowing you to specify what information is
to be included in the selected report. By default, all information for the last seven days
will be included. To specify a different time frame, use the drop-down menu. To specify
a specific object (e.g., server) use the browse button, which then display an additional
dialog to select the object to be included. After selecting the options to be used, select
OK.
4. A new Report page will be created displaying the selected report.
5. Use the tool bar buttons across the top of the report to scroll through the report, print the
report, etc.
Generating and Publishing Reports
ChangeAuditor
249
Report Options Dialog
The Report Options dialog is displayed when you run one of the built-in SRS reports provided
with ChangeAuditor. That is, this dialog is displayed when you select a report from the Searches
Page and either double-click or right-click and select the Run Local Report menu command.
From this dialog you can select from the following options to limit the information included in the
selected report:
Time Frame
Use the drop-down arrow to select a time frame for your report. The Last 7 Days is the
default time interval.
Depending on the report selected, different options will be displayed allowing you to customize
your report to include specific data. For most of the options, use the browse button
to
display an additional dialog to select the specific data to be included in the report. To specify
an organizational unit, place your cursor in the Org. Unit text field and enter an OU (e.g.,
NetPro\Sales or NetPro\S%). To specify a file name, place your cursor in the File Name text
field and enter a file name (e.g., ChangeAuditor.txt or Change%). (Where % is a wildcard.)
The following table illustrates the report options that can be set for each of the different reports:
Report:
Report Options:
Event Analysis Report By Domain
Domain, Facility, Event Class, User
Event Analysis Report By OU
Facility, Event Class, User, Org. Unit
Event Analysis Report By Server
Server, Facility, Event Class, User
Event Summary Report Grouped By Date and Hour
Facility, Event Class
Event Summary Report Grouped By Domain and OU
Facility, Event Class
Event Summary Report Grouped By Domain and Server
Facility, Event Class
Event Summary Report Grouped By Event Class
Server, Domain, User
File Monitoring Report
Server, User, File Name
Generating and Publishing Reports
250
ChangeAuditor
Report Page
A new Report page is created whenever a local report is generated for a search or built-in report
(Run Local Report right-click command). This page displays the audited events found as a
result of running the selected search/report. If a built-in SRS report is generated, this page
displays the results based on the options selected on the Report Options dialog.
Use the tool bar buttons at the top of the report as described below:
This button allows you to hide (or display) the report navigation pane to the left of the
report. N/A for ChangeAuditor reports.
Use this button to display the first page of the report.
Use this button to display the previous page in the report.
This control displays the page currently being displayed and the total number of pages
in the report. You can use this control to display a specific page by entering a page
number and pressing Enter.
Use this button to display the next page in the report.
Use this button to display the last page of the report.
Generating and Publishing Reports
ChangeAuditor
251
Use this button to redisplay the latest available data in the report.
Use this button to send the report to the designated printer.
This button allows you to return to the parent report if you have drilled down into a more
detailed report.
Use this button to stop rendering the report.
Use this button to preview the print layout of the report.
Use this button to display the page setup and print options for the report.
Use this button to export a report to a file. Use the drop-down arrow to specify the file
format and destination. Excel and Acrobat PDF files are supported.
Use this button to specify the magnification of the report.
Enter a specific string of characters or word to be located in the report and use the Find
button to locate the text. Use the Next button to find the next occurrence of the word or
string of characters specified.
Generating and Publishing Reports
252
ChangeAuditor
Publishing Reports to SRS
ChangeAuditor supports Microsoft's SQL Server 2005 Reporting Services (SRS), providing a
comprehensive, server-based solution that enables the creation, management and delivery of
both traditional, paper and interactive web-based reports. In this implementation,
administrators no longer need to traverse the various auditing solutions to create the desired
reports. Instead they can interact with a web-based reporting portal and simply subscribe to the
reports they want to see.
To publish a single report to a SRS server:
1. Select the Searches tab, select the F10 function key, or use the View | Searches menu
command to open the Searches page.
2. Expand the Private and Shared folders and select a folder in the Explorer view to display
the list of search/report definitions stored in the selected folder.
3. From the right-hand pane, right-click a search/report definition and select the Create
Report(s) Using SQL Reporting Services command.
4. This will display the Create Report dialog allowing you to configure the SQL Server
Reporting services to be used and the specify the report details.
• To configure the SQL Server Reporting Services to be used, select the
Configure button. This will display the Reporting Services Setup dialog where
you will configure the reporting services and ChangeAuditor shared data source.
Use the Test button at the bottom of the dialog to verify the credentials entered
above.
• Back on the Create Report dialog, you can also define the name of the report, the
location where the selected report is to be published so it can be accessed
through SQL 2005 Reporting Services and the report template (RDL file) to be
used to render the report
5. Once you have entered the requested information, ChangeAuditor will publish the report
to the specified server, which will then be available through SQL Server 2005 Reporting
Services.
To publish a series of reports (folder) to a SQL 2005 Reporting Services server:
1. Select the Searches tab, select the F10 function key, or use the View | Searches menu
command to open the Searches page. Select a folder in the Explorer view to publish a
report for each search/report included in the selected folder.
2. Right-click the folder and select the Create Report(s) Using SQL Reporting Services
command.
3. This will display the Create Report dialog allowing you to configure the SQL Server
Reporting services to be used and specify the report details.
• To configure the SQL Server Reporting Services to be used, select the
Configure button. This will display the Reporting Services Setup dialog where
you will configure the reporting services and ChangeAuditor shared data source.
Use the Test button at the bottom of the dialog to verify the credentials entered
above.
Generating and Publishing Reports
ChangeAuditor
253
• Back on the Create Report dialog, you can also define the name of the report, the
location where the selected report is to be published so it can be accessed
through SQL 2005 Reporting Services and the report template (RDL file) to be
used to render the report
4. Once you have entered the requested information, ChangeAuditor will publish the
reports to the specified server, which will then be available through SQL 2005 Reporting
Services.
Create Report Dialog
The Create Report dialog is displayed when the Create Report(s) using SQL Reporting
Services command is selected (right-click menu for a search or a folder on the Searches page).
From this dialog you can view and/or modify the current configuration of the SQL Server
Reporting Services and specify report details, including the report name, report folder and
report template to be used.
SQL Server Reporting Services
The top section of this dialog displays the URL of the SQL Server Reporting Service and
the name of the ChangeAuditor data source. To change these settings, use the Configure
button which will display the Reporting Services Setup dialog.
Report Details
Use the bottom section of this dialog to specify where to save the reports and the template
to be used when creating the SRS report.
Report Name
Enter a descriptive name for the published report, which will be displayed in SQL
Server 2005 Reporting Services. By default, the name of the search definition or builtin report will be displayed in this field. To change it, place your cursor in this field and
enter the new name for the report.
Generating and Publishing Reports
254
ChangeAuditor
Report(s) Folder
This field specifies the folder structure to be used on the report server.
By default, the new report(s) are saved in the /NetPro/ChangeAuditor folder. To change
this location, either enter the location to be used or use the Browse button to select the
location (on the specified server) where the new report is to be saved. Selecting the
Browse button will display the Select Reporting Services folder dialog allowing you to
specify the folder where the new report(s) are to be saved.
Report Template
This field specifies the report template (.rdl) to be used to render the SRS report. You
can choose to either dynamically generate the .rdl file using the setting from the
selected search’s settings on the Advanced search properties tab or use a static .rdl
file.
Select one of the following options to define the report template to be used for the
selected ChangeAuditor report(s):
• Use Default Auto-Generated RDL File - this option is selected by default and
will dynamically generate the .rdl file to be used
• Use Custom RDL File - select this option to use a specific .rdl file
When you select the Use Custom RDL File option, enter the location for the report
layout template (.rdl file) or use the Browse button to locate the template to be used.
When this option is selected, the ChangeAuditor.rdl file will be used (e.g., C:\Program
Files\ NetPro\Compliance\Client\ChangeAuditor\ChangeAuditor.rdl).
Reporting Services Setup Dialog
The Reporting Services Setup dialog is displayed when the Configure button on the Create
Report dialog is selected. From this dialog you can specify the URL and credentials for
accessing the SRS server and the name and credentials for the ChangeAuditor data source.
Generating and Publishing Reports
ChangeAuditor
255
SQL Server Reporting Services
Use the top section of this dialog to specify the URL and credentials to be used to access
the SRS server.
NOTE: SQL Reporting Services must be configured with anonymous access disabled.
NOTE: The account entered in this section requires rights to create SRS reports and data
sources on the server (a.k.a. Content Manager).
Report Server URL
Enter the URL for the SQL Server Reporting Services (SRS) server that will be hosting
the ChangeAuditor reports.
For example: http://<SQL_Server>/<ReportServer>, where <SQL_Server> is the
name of the server hosting SRS and <ReportServer> is the name of the report server
virtual directory.
User
Enter a user name for a Windows account that has credentials to copy files to a SQL
2005 Reporting Service.
Password
Enter the password associated with the user name entered above.
Domain
Enter the domain for the Windows account to be used to access SRS.
ChangeAuditor Shared Data Source
Use the middle section of this dialog to enter the user account and credentials to be used
to access the ChangeAuditor database (data source).
Data Source Name
Enter the name of the ChangeAuditor data source.
Select one of the following options to specify whether Windows authentication or SQL
authentication is to be used to connect to the ChangeAuditor data source:
•
Windows Authentication
•
SQL Server Authentication
Depending on the authentication option selected, enter the appropriate credentials:
User
Enter a user name for the account to be used to access the ChangeAuditor data
source.
Password
Enter the password associated with the user name entered above.
Domain
Enter the domain for the user account to be used to access the ChangeAuditor data
source. This only applies to Windows Authentication.
Generating and Publishing Reports
256
ChangeAuditor
Test
Use the Test button at the bottom of the dialog to verify the credentials entered in the SQL
Server Reporting Services section at the top of the dialog.
Generating and Publishing Reports
ChangeAuditor
257
Appendix A: ChangeAuditor Email Tags
The Alert Body Setup dialog allows you to edit the Plain Text and the HTML representation of
alert emails. It consists of the following panes:
• Main Body - the top pane is for defining the overall content and layout of the alert email
body.
• Event Details - the middle pane is for defining the details to be included for each event
included in the alert email.
• Signature - the bottom pane is for defining the signature line to be included.
The text entered in the these panes is sent when the alert triggers, with the exception of the
variable tags (%xxx%). These tags are used to retrieve information from ChangeAuditor. The
following tags are used and should NOT be modified.
Tags valid in both the Main Body and Event Details panes:
%ALERT_TYPE%
‘Smart Alert’ or ‘Alert”’.
%ALERT_NAME%
The name of the alert that fired.
%ALERT_REPOSITORY_NAME%
The name of the repository generating the alert.
%ALERT_REPOSITORY_DOMAIN%
The name of the domain where the repository resides.
Tags valid only in the Event Details pane:
%EVENT_AGENT_DOMAIN%
The name of the domain where the ChangeAuditor Agent resides.
%EVENT_AGENT_NAME%
The name of the agent generating the alert.
%EVENT_FACILITY%
The name of the event facility (e.g., Domain Configuration).
ChangeAuditor Email Tags
258
ChangeAuditor
%EVENT_TIME_DETECTED%
The date and time when the event was detected by ChangeAuditor.
%EVENT_TIME_RECEIVED%
The date and time when the event was received by ChangeAuditor.
%EVENT_DESCRIPTION%
The actual event that triggered the alert.
%EVENT_USER_NAME%
The name of the user who initiated the change.
%EVENT_ACTION%
The action associated with the event (e.g., Modify Attribute).
%EVENT_AGENT_ID%
The event identification number assigned by the agent.
%EVENT_REPOSITORY_ID%
The event identification number assigned by the repository.
%EVENT_OBJECT_NAME%
The name of the object that changed.
%EVENT_ATTRIBUTE_NAME%
The attribute that changed (e.g., displayName).
%EVENT_OBJECTCLASS%
The type of object that changed (e.g., groupPolicyContainer).
%EVENT_FROM_VALUE%
The old value that was assigned to the object.
%EVENT_TO_VALUE%
The new value that is now assigned to the object.
NOTE: The %EVENT_CONTAINER_DN% email tag is not valid in ChangeAuditor 4.x.
Therefore, if the %EVENT_CONTAINER_DN% email tag was migrated from a 3.x
database, this tag will not contain valid data and should be removed from the Event
Details pane.
Finally, the event details defined in the Event Details pane are placed in the Main Body pane
using the following tag:
%EVENT_DETAILS%
ChangeAuditor Email Tags
ChangeAuditor
259
Appendix B: System Tray Icons
ChangeAuditor provides a system tray icon for both the ChangeAuditor Repository and NetPro
Compliance Agents, which allow you to enable/disable the service and display the current
status of the service. Some of the status indicators displayed may be used by NetPro Technical
Support should they need to diagnose problems.
The System Tray icon
may contain one or more status indicators depending on the
components installed on the server and their current status. The left indicator represents the
agent’s status (only available when a NetPro Compliance Agent is installed on the server) and
the right indicator represents the repository’s status (only available when a ChangeAuditor
Repository is installed on the server). These indicators represent the following statuses:
• Red - inactive
• Green - active
• Yellow - initializing
• Orange - agent running, but you are not authorized to access it
NOTE: If the repository and agent are active, no status indicators will be displayed. However,
if both components are installed and one of the components is not active, the green
indicator will be displayed along with the corresponding indicator for the component
that is not active.
System Tray Icons
260
ChangeAuditor
Repository System Tray Icon
During the repository installation process, ChangeAuditor automatically loads an icon in the
system tray of each ChangeAuditor Repository. This system try icon allows you to enable/
disable the repository, display the status of the agent or repository installed on the current
machine, and change the database instance and service accounts used to access the
database.
By right-clicking on the ChangeAuditor icon
in the System Tray, a context menu is
displayed which consists of the following commands:
Agent Status (If NetPro Compliance Agent is installed)
Use the Agent Status command to display the Agent Status Window which assists you in
determining if the agent is running, what version is installed, and how active the agent is.
This command is only available if an agent is installed on the same server as the repository.
See ChangeAuditor Agent Status Window on page 268 for a full description of the NetPro
Compliance Agent Status Window.
Enable/Disable Agent (If NetPro Compliance Agent is installed)
Use the Enable/Disable Agent command to start or stop the NetPro Compliance Agent
Service. This command is only available if an agent is installed on the same server as the
repository.
Retry Connection
If you are using the direct SQL connection instead of connecting through the repository and
the agent has lost connection with the SQL database, you can use the Retry Connection
command to try to reconnect to the SQL database.
Refresh Configuration
Use the Refresh Configuration commend to apply a new agent configuration to the
selected agent.
View Agent Log
Use the View Agent Log command to launch the log viewer to review the events recorded
in the NetPro Compliance agent log (ChangeAuditor.dll.nptlog). For example:
C:\Program Files\NetPro\Compliance\Agent\ChangeAuditor.dll.nptlog
Repository Status
Use the Repository Status command to display the Repository Status Window which
assists you in determining if the repository is running, what version is installed and how
active the repository is. See ChangeAuditor Repository Status Window on page 261 for a
full description of the ChangeAuditor Repository Status Window.
Enable/Disable Repository
Use the Enable/Disable Repository command to start or stop the ChangeAuditor
Repository.
System Tray Icons
ChangeAuditor
261
Repository Database Configurator
Use the Repository Database Configurator command to launch the Repository
Configuration Tool which allows you to modify the credentials used to access the
ChangeAuditor Repository database or to specify a ‘static’ port to be used for
communication with the repository. See Database Configuration Utility on page 264 for a
description of how to use this utility.
View Repository Log
Use the View Repository Log command to launch the log viewer to review the events
recorded in the ChangeAuditor repository log (CAADRepository.exe.nptlog). For example:
C:\Program Files\NetPro\Compliance\Service\ChangeAuditor\
CAADRepository.exe.nptlog
Load on Startup
Select (check) the Load on Startup command to automatically load the system tray
application when the ChangeAuditor Repository starts.
About
Use the About command to display information about ChangeAuditor including the
installed version number and licensing information.
Exit
Use the Exit command to close the System Tray application.
ChangeAuditor Repository Status Window
The ChangeAuditor Repository Status Window helps you determine if the ChangeAuditor
Repository is running and what version is installed on the server. The other status information
on the window is broken down into the following sections:
• Repository Information - displays the status, version number, SCP port and installation
name for the repository
• Database Information - displays the repository database server, name and size
• Agent Connections - displays the number of connected agents, active and inactive
• Events and Alerts - displays status information regarding events, alerts, and search
activities
System Tray Icons
262
ChangeAuditor
The Repository Status Window contains the following information:
Repository Information
Repository is
This field displays the current status of the repository: Running, Initializing, Stopped or
Failed.
This value will normally be ‘Running’. If the credentials supplied for the database
access during the ChangeAuditor Repository installation are incorrect or have expired,
this field will display ‘Not Running’ indicating that the repository did not successfully
start. If this happens, use the Database Configuration Utility to change the permissions
trying to access the database.
Installation Name
This field displays the installation name assigned to the repository during installation.
SCP Port
This field displays the port number assigned to the repository Service Connection Point
(SCP).
Version
This field displays the current version of the repository installed on the server.
Database Information
Server
This field displays the name of the server where the repository resides.
Catalog
This field displays the name assigned to the repository database during the repository
installation.
System Tray Icons
ChangeAuditor
263
Size
This field displays the size of the ChangeAuditor Repository database.
Agent Connections
Total number of connected agents
This field displays the total number of NetPro Compliance Agents connected to a
ChangeAuditor repository, not just the current one.
Agents connected to this repository
This field displays the number of NetPro Compliance Agents to which this repository is
connected.
Events and Alerts
Total DB events
This field displays the number of entries in the repository events database.
Events last 24 hours
This field displays the number of event entries received from all NetPro Compliance
Agents in the last 24 hours of repository operation.
Events yesterday
This field displays the number of event entries received from local midnight to local
midnight yesterday.
Events today
This field displays the number of event entries received since local midnight today.
Total alerts
This field displays the number of alerted events found in the repository events
database.
Alerts last 24 hours
This field displays the number of alerted event entries in the last 24 hours of repository
operation.
Alerts yesterday
This field displays the number of alerted event entries from local midnight to local
midnight yesterday.
Alerts today
This field displays the number of alerted event entries since local midnight today.
System Tray Icons
264
ChangeAuditor
Database Configuration Utility
The Database Configuration utility can be used to modify the credentials used by the
ChangeAuditor Repository when accessing the database. The Database Configuration utility
can be accessed through the ChangeAuditor Repository system tray icon.
By right-clicking on the repository system tray icon and selecting the Repository Database
Configurator command, the Repository Configuration Tool dialog will be displayed allowing
you to:
• specify the credentials to be used to access the database
• change the database instance
• specify a ‘static’ port to be used to communication with the repository
This dialog consists of two tabbed pages:
• Security
• Port
Security Page
From the Security page, you can change the database instance and service accounts used to
access the database.
System Tray Icons
ChangeAuditor
265
Enter the credentials to be used to access the designated SQL server/instance as described
below:
Server
Enter the name or IP address of the SQL instance to be used. (i.e., <Server
Name>\<Instance Name>). You can also use the browse button to locate and select the
SQL server instance.
Authentication
This section of the dialog allows you to specify whether Windows authentication or SQL
server authentication is to be used when communicating with the SQL database instance.
(The authentication method is set up when SQL is installed.)
Windows Authentication
This option is selected by default and will use Windows authentication to access the
database.
SQL Server Authentication
Select this option to use SQL Server authentication to access the database.
Credentials
Depending on the authentication option selected above, enter the appropriate user
credentials:
User
Enter the user name for the account to be used to access the SQL server instance.
Password
Enter the password associated with the user account entered above.
Domain
Enter the domain name for the Windows account to be used to access the designated
SQL server instance. (Only valid for Windows Authentication.)
Grant this account access to scripts directory
If the credentials used to authenticate to the SQL instance do not have appropriate
rights, selecting this option will give rights to access the SQL scripts directory to the
user installing the ChangeAuditor Repository. This option is selected (checked) by
default.
Database Catalog
This text box displays the name assigned to the ChangeAuditor database.
System Tray Icons
266
ChangeAuditor
Port Page
By default, ChangeAuditor dynamically assigns a port to each installed repository. However,
using the Port page of the Repository Configuration tool, you can specify a ‘static’ SCP listening
port to be used to communicate with the ChangeAuditor repository.
Repository Port
Enter the ‘static’ port number to be used to communicate with the repository.
System Tray Icons
ChangeAuditor
267
Agent System Tray Icon
ChangeAuditor provides an icon in the system tray which can be used to enable/disable or
display the status of the NetPro Compliance Agent installed on the current server. You can load
the agent system tray icon using one of the following methods:
• Use the Advanced button on the Agent Configuration page in the Agent Deployment
wizard to launch the Advanced Options dialog. From this dialog, check the Launch
CAADTray on startup option.
NOTE: By default, this check box will contain a grayed out check mark which indicates
that you want to use the current setting for the agent system tray icon. That is,
if you already have it set to launch on startup it will continue to operate that way.
Similarly, it will not launch on startup if this is a clean install and you have not
previously set it up to do so.
• Navigate to %System Root%\Program Files\NetPro\Compliance\SysTray and doubleclick on the CAADTray.exe file.
By right-clicking on an Agent icon in the System Tray, a context menu is displayed which
consists of the following commands:
Agent Status
Use the Agent Status command to display the Agent Status Window which assists you in
determining if the agent is running, what version is installed, and how active the agent is.
Enable/Disable Agent
Use the Enable/Disable Agent command to start or stop the NetPro Compliance Agent
Service.
Load on Startup
Select (check) the Load on Startup command to automatically load the system tray
application when the NetPro Compliance Agent Service starts.
About
Use the About command to display information about the NetPro Compliance Agent
including the installed version number and licensing information.
Exit
Use the Exit command to close the System Tray application.
System Tray Icons
268
ChangeAuditor
ChangeAuditor Agent Status Window
The ChangeAuditor Agent Status Window helps you determine if the ChangeAuditor Agent is
running and what version is installed on the domain controller. The other status information in
the window is broken down into four sections:
• Agent Information - displays the status, version number and repository installation
name to which the agent is connected
• Repository Connection - displays information regarding the Repository Service the
agent is connected to
• Agent Database - displays the agent’s database size and event activity information
• Agent Configuration - displays whether event logs are being monitored and whether
the direct database connection is enabled or disabled
• Agent Activity - displays audited event activity and statistics
NOTE: The Agent Activity section contains indicators of internal ChangeAuditor activity and
may be used by NetPro Technical Support should they need to diagnose agent
problems.
System Tray Icons
ChangeAuditor
269
This window contains the following status information:
Agent Information
Agent is
This field displays the current agent status:
• Running - the agent service is running
• Initializing - the agent service has started but is still initializing
• Not Running - the agent service is not currently running
• Failed - the agent service failed to initialize
• Incompatible - the agent service has not been upgraded to version 4.7 and is not
operating at the same version as the repository. Once the agent is upgraded, the
incompatible status is cleared. (In 4.7, SysTray changes were required to
compensate for the UAC in Windows 2008; therefore, this change is ‘not
compatible’ with previous versions of the agent.)
Installation name
This field displays the installation name assigned to the repository to which the agent
is connected.
Version
This field displays the current version of the agent installed on the server.
Repository Connection
Repository
This field displays the computer name of the ChangeAuditor Repository to which this
agent is currently connected. The NetPro Compliance Agent can connect to only one
repository. For more details on agent connection behavior, see Appendix A: Installation
Notes and Best Practices in the ChangeAuditor Installation Guide.
NOTE: Even if the agent is configured to use the Direct SQL Connection method, it
will still display the name of the repository.
SCP Port
This field displays the port number assigned to the repository Service Connection Point
(SCP) to which the agent is connected.
Events since startup
This field displays the number of events that have been sent to the repository since the
agent was started.
Events last sent
This field provides the local time when the last event was sent. If no events have been
detected by ChangeAuditor recently, this time may be fairly old.
Status
This field displays the current status of the agent: connected or not connected.
Acknowledged
This field displays the number of events that the repository has acknowledged.
System Tray Icons
270
ChangeAuditor
Normally, this value will be the same as the Events sent since startup. However, it
may be smaller if the repository is not running or if a large number of events are being
processed by the repository which may be slowing it down. Events may also be lost
due to communication problems, in which case the NetPro Compliance Agent will try
to re-send the events.
Last config update
This field displays the time when the agent last downloaded the agent configuration
information/settings.
Agent Database
Agent DB size (kb)
This field displays the size of the agent database, in kilobytes. This is dependent on the
number of monitored Active Directory, registry and file system objects, and the number
of events queued for transmission to the repository. If a repository is not available, this
database may become large. When the events are successfully sent to a repository,
the database space is re-used for subsequent events, but the displayed database size
will not decrease.
DB events waiting
This field displays the number of events in the agent database that are waiting to be
forwarded to a repository.
This value should be at or near zero when the server is idle, but can grow if it is busy.
If the value never returns to zero, it may indicate that the agent is having difficulty
communicating with the Repository Service. If this is the case, contact NetPro
Technical Support for assistance.
Agent Configuration
System Event Log
This field indicates whether the System Event Log is being monitored. Monitoring the
System Event Log is an option on the Configuration Setup dialog
Security Event Log
This field indicates whether the Security Event Log is being monitored. Monitoring the
Security Event Log is an option on the Configuration Setup dialog.
Application Event Log
This field indicates whether the Application Event Log is being monitored. Monitoring
the Application Event Log is an option on the Configuration Setup dialog.
Connection Type
This field indicates whether the agent was configured to forward its audited events
directly to the SQL database or go through the ChangeAuditor repository service to the
SQL database. Valid entries are:
• Direct SQL - connect directly to the SQL database rather than going through the
repository
• Repository - connect via the ChangeAuditor Repository to the SQL database
System Tray Icons
ChangeAuditor
271
Direct SQL connection is enabled by default and it is the recommended connection
method for performance reasons, but it does require the appropriate Microsoft SQL
licensing. The option to enable or disable direct SQL connections is available on the
Configuration Setup dialog.
Agent Activity
NOTE: The Agent Activity section contains indicators of internal ChangeAuditor activity and
may be used by NetPro Technical Support should they need to diagnose NetPro
Compliance Agent problems.
AD Events
This is the number of Active Directory-related events processed by the agent. This field
will be blank for agents running on member servers.
AD EvtQ Depth
This is the number of Active Directory-related events queued for processing. This field
will be blank for agents running on member servers.
AD EvtQ Status
This field displays the status of ChangeAuditor’s internal AD event processing queue:
Running or Suspended. This field will be blank for agents running on member servers.
This field will normally be “Running”. It may however be “Suspended” briefly if the agent
has been overwhelmed by a large number of Active Directory changes in a short period
of time and needs to limit the size of the Active Directory event queue.
AD Evts Lost
This is the number of Active Directory events lost because the Active Directory event
queue had to be stopped to limit its size or if AD EvtQ Status is suspended. This field
will be blank for agents running on member servers.
This value will normally be zero, however, it may have a value greater than zero on a
very busy server. A large number in this field indicates lost change information and a
possible system or application problem. Please report this problem to NetPro Technical
Support.
Excluded Events
If configured, this is the number of audited events excluded by the agent because they
where made by a user or computer that was defined as an excluded account.
Reg Events
If configured, this is the number of Registry audited events processed by the agent.
FS Events
If licensed and configured, this is the number of File System audited events processed
by the agent.
Exch Events
If licensed, this is the number of Exchange Mailbox audited events processed by the
agent.
System Tray Icons
272
ChangeAuditor
SQL Events
If licensed and configured, this is the number of SQL audited events processed by the
agent.
System Tray Icons
ChangeAuditor
273
Appendix C: Disabled Events
This appendix provides an alphabetical list of the event classes (and the ChangeAuditor facility
to which they belong) that are disabled by default in ChangeAuditor. If you want to audit for
these change events, use the Audit Events page on the Administration Tasks tab to enable
these events. For more information on enabling events, please refer back to Enabling/Disabling
Event Auditing on page 154.
Event Class Disabled by Default
Facility
Appointment Copied by Owner
Exchange Mailbox Monitoring
Appointment Created by Owner
Exchange Mailbox Monitoring
Appointment Deleted by Owner
Exchange Mailbox Monitoring
Appointment Moved by Owner
Exchange Mailbox Monitoring
Appointment Permanently Deleted by Owner
Exchange Mailbox Monitoring
Appointment Read by Owner
Exchange Mailbox Monitoring
Audit Change Audit - Audit Started
SQL Security Audit
Audit Change Audit - Audit Stopped
SQL Security Audit
Audit Create Object Derived Permissions
SQL Security Audit
Audit Drop Object Derived Permission
SQL Security Audit
Audit Schema Object Access
SQL Security Audit
Audit Server Alter Trace
SQL Security Audit
Auto Stats
SQL Performance
Auto Stats - Async Completed
SQL Performance
Auto Stats - Asnyc Queued
SQL Performance
Auto Stats - Async Starting
SQL Performance
Auto Stats - Sync
SQL Performance
Blocked Process Report
SQL Errors and Warnings
Disabled Events
274
ChangeAuditor
Event Class Disabled by Default
Facility
Broker: Message Classify - Delayed
SQL Broker Event
Calendar Opened by Non-Owner
Exchange Mailbox Monitoring
Calendar Opened by Owner
Exchange Mailbox Monitoring
Contact Copied by Owner
Exchange Mailbox Monitoring
Contact Create by Owner
Exchange Mailbox Monitoring
Contact Deleted by Owner
Exchange Mailbox Monitoring
Contact Moved by Owner
Exchange Mailbox Monitoring
Contact Permanently Deleted by Owner
Exchange Mailbox Monitoring
Contact Read by Owner
Exchange Mailbox Monitoring
Contacts Opened by Owner
Exchange Mailbox Monitoring
Degree of Parallelism - Delete
SQL Performance
Degree of Parallelism - Insert
SQL Performance
Degree of Parallelism - Select
SQL Performance
Degree of Parallelism - Update
SQL Performance
Error Logged
SQL Errors and Warnings
Event Logged
SQL Errors and Warnings
Exception
SQL Errors and Warnings
Exchange User Mailbox Opened by Non-Primary User Audit
Received
Exchange User
Exec Prepared SQL
SQL TSQL
Execution Warnings - Query Timeout
SQL Errors and Warnings
Execution Warnings - Query Wait
SQL Errors and Warnings
Hotfix Rolled Back
Domain Controller Configuration
Inbox Opened by Owner
Exchange Mailbox Monitoring
Lock:Acquired
SQL Locks
Lock:Cancel
SQL Lock
Lock:Escalation
SQL Lock
Lock:Released
SQL Locks
Lock:Timeout
SQL Locks
Lock:Timeout (timeout > 0)
SQL Lock
Logon Audit Received
Custom User Monitoring
Mailbox Opened by Owner
Exchange Mailbox Monitoring
Message Copied by Owner
Exchange Mailbox Monitoring
Disabled Events
ChangeAuditor
275
Event Class Disabled by Default
Facility
Message Created by Owner
Exchange Mailbox Monitoring
Message Deleted by Owner
Exchange Mailbox Monitoring
Message Moved by Owner
Exchange Mailbox Monitoring
Message Permanently Deleted by Owner
Exchange Mailbox Monitoring
Message Read by Owner
Exchange Mailbox Monitoring
Object:Altered - Begin
SQL Objects
Object:Altered - Commit
SQL Objects
Object:Created - Begin
SQL Objects
Object:Created - Commit
SQL Objects
Object:Deleted - Begin
SQL Objects
Object:Deleted - Commit
SQL Objects
Performance Statistics - Cached Query Destroyed
SQL Performance
Performance Statistics - New Batch SQL Text
SQL Performance
Performance Statistics - Queries in Ad Hoc Statement Compiled
SQL Performance
Performance Statistics - Queries in Stored Procedure Compiled
SQL Performance
Prepare SQL
SQL TSQL
QN:Dynamics - Clock Run Finished
SQL Query Notifications
QN:Dynamics - Clock Run Started
SQL Query Notifications
QN:Dynamics - Master Cleanup Task Finished
SQL Query Notifications
QN:Dynamics - Master Cleanup Task Started
SQL Query Notifications
RPC:Completed
SQL Stored Procedures
RPC:Starting
SQL Stored Procedures
Scan:Started
SQL Scans
Scan:Stopped
SQL Scans
Showplan All
SQL Performance
Showplan All for Query Compile
SQL Performance
Showplan Statistics Profile
SQL Performance
Showplan Text
SQL Performance
Showplan Text (Unencoded)
SQL Performance
Showplan XML
SQL Performance
Showplan XML for Query Compile
SQL Performance
Showplan XML Statistics Profile
SQL Performance
SP:CacheHit
SQL Stored Procedures
Disabled Events
276
ChangeAuditor
Event Class Disabled by Default
Facility
SP:CacheHit - Compplan Hit
SQL Stored Procedures
SP:CacheHit - Execution Context Hit
SQL Stored Procedures
SP:CacheMiss
SQL Stored Procedures
SP:Completed
SQL Stored Procedures
SP:Recompile - Recompile DNR
SQL Stored Procedures
SP:Recompite - Set Option Changed
SQL Stored Procedures
SP:Recompile - Statistics Changed
SQL Stored Procedures
SP:Starting
SQL Stored Procedures
SP:StmtCompleted
SQL Stored Procedures
SP:StmtStarting
SQL Stored Procedures
SQL Transaction Begin
SQL Transactions
SQL Transaction Commit
SQL Transactions
SQL Transaction Rollback
SQL Transactions
SQL Transaction Savepoint
SQL Transactions
SQL:BatchCompleted
SQL TSQL
SQL:BatchStarting
SQL TSQL
SQL:FullTextQuery
SQL Performance
SQL:StmtCompleted
SQL TSQL
SQL:StmtRecompile - Deferred Compile
SQL TSQL
SQL:StmtRecompile - Set Option Changed
SQL TSQL
SQL:StmtRecompile - Statistics Changed
SQL TSQL
SQL:StmtStarting
SQL TSQL
Task Copied by Owner
Exchange Mailbox Monitoring
Task Created by Owner
Exchange Mailbox Monitoring
Task Deleted by Owner
Exchange Mailbox Monitoring
Task Moved by Owner
Exchange Mailbox Monitoring
Task Permanently Deleted by Owner
Exchange Mailbox Monitoring
Task Read by Owner
Exchange Mailbox Monitoring
Tasks Opened by Owner
Exchange Mailbox Monitoring
TransactionLog
SQL Transactions
Unprepare SQL
SQL TSQL
User badPasswordTime Changed
Custom User Monitoring
User badPwdCount Changed
Custom User Monitoring
Disabled Events
ChangeAuditor
277
Event Class Disabled by Default
Facility
User Error Message
SQL Errors and Warnings
XQuery Static Type
SQL TSQL
Disabled Events
ChangeAuditor
279
Index
A
About command 31, 261, 267
Account Exclusion Configuration dialog 214
Account Exclusions
Configuration Setup dialog 226
feature 207
Action menu 29
Active Directory Auditing page 158
Add Active Directory Container dialog 100
Add Agents, Domains, Sites dialog 130
Add ChangeAuditor Events dialog 106
Add Computer Events dialog 108
Add Exchange Container dialog 103
Add Facilities or Event Classes dialog 98
Add File System Path dialog 109
Add Group Policy Container dialog 113
Add Local Account dialog 115
Add Object Classes dialog 126
Add Registry Key dialog 117
Add Services dialog 120
Add Severities dialog 127
Add Users, Computers and Groups dialog 97
Administration Tasks page 35
Administration Tasks tab
Active Directory Auditing page 158
Attribute Auditing page 163
Audit Events page 155
command 30
Database Maintenance page 241
Exchange Mailbox Auditing page 169
Excluded Account page 209
File System Auditing page 175
Registry Auditing page 190
Repository Configuration page 229
shortcut key 30
SQL Server Auditing page 200
Advanced tab 93
Agent Configuration page 219
assigning configurations to agents 219
creating Excluded Account template 209
creating File System Auditing template 174
creating Registry Auditing template 189
creating SQL Server Auditing template 199
defining agent configurations 218
Agent Statistics
command 30
page 35, 57
shortcut key 30
Agent Status
command 260, 267
Overview page 55
Window 268
Agent System Tray icon 267
Alert Body Configuration dialog 233
Alert Custom Email dialog 131
Alert History
Overview page 56
page 37, 133
viewing 68
Alert tab 90
Alerts 65
Allowed time for connection setting 223
Application Event Log monitoring 222
Assigning a configuration to an agent 219
Attribute Auditing page 163
Audit Events page 155
Audited Active Directory Objects Wizard 160
Auto Connect command 30
Autofit Columns to Contents command 29
B
Bar Graph button 136
Index
280
C
ChangeAuditor
Agent Status Window 268
benefits 2
client components 26
client overview 15
Database Configuration Utility 264
features 3
Knowledge base 151
Repository Status Window 261
system overview 9
What’s new 6
Clear Saved Logon Credentials command 30
Client
components 26
overview 15
starting 16
Close All Windows command 30
Communication settings 223
Configuration settings 222
Configuration Setup dialog 221
Account Exclusions 226
Communication settings 223
Configuration settings 222
Event Forwarder Settings 222
File System Auditing 224
Registry Auditing 224
SQL Server Auditing 225
Connect command 27
Connection method
Database Direct 21
Forest 20
Global Catalog 20
Manual 20
Connection Profile dialog 17
Connection profiles 18
defining a new profile 18
Connection Wizard 20
Contents command 31
Copy command 28
Count of Events pane 53
Create Report dialog 253
Create Report using SQL Reporting Services command
75, 252
Creating custom templates
Excluded Account 208
File System Auditing 172
Registry Auditing 188
SQL Server Auditing 198
Creating new custom searches 62
Credentials dialogs
Database 24
Global Catalog 43
Repository 25
Index
ChangeAuditor
Custom Active Directory Object Auditing 153, 157
Custom Attribute Auditing 162
Custom Auditing
Active Directory 153
Active Directory Objects 157
Attributes 162
enabling event auditing 154
Customizing email content 230
Cut command 28
D
Data Grid button 136
Database Configuration Utility 264
Database Credentials Required dialog 24
Database Maintenance 240
Overview page 56
page 241
wizard 243
default configuration settings 217
Defining a new agent configuration 218
Defining database maintenance activities 240
Defining Exchange Mailbox Auditing list 168
Delete command 28
Deleting a database maintenance schedule 240
Direct SQL Connection setting 223
Disable Agent command 260
Disable Repository command 260
Disabled events 273
Disabling a database maintenance schedule 240
Disabling audited events 154
Disabling Event Auditing 154
Disconnect command 27
Displaying results in different formats 136
E
Edit Menu 28
Editing a database maintenance schedule 240
Editing Audit Event description 156
Email alerts 65
Email content customization 230
Email notifications
configuring 229
customizing content 230
Email tags 257
Enable Agent command 260
Enable Repository command 260
Enable/Disable Agent command 267
Enabling alerts 65
Enabling Event Auditing 154
Event details 137
Event Forwarder Settings 222
Exchange Mailbox Auditing 168
defining list 168
page 169
ChangeAuditor
Excluded Accounts
creating templates 208
page 209
wizard 212
Exit command 28, 261, 267
Export command 72, 140
Export Criteria Dialog 140
F
Favorite Search 64
File Auditing Configuration dialog 185
File Auditing Wizard 177
File Menu 27
File System Auditing 171
Configuration Setup dialog 224
creating auditing template for a file 172
creating auditing template for a folder 173
page 175
wizard 177
Forest connection method 20
Forwarding Interval setting 222
281
N
NetPro
Customer Portal 13
Professional Services 14
Technical Support 14
O
Object Picker 38
Offline knowledge base 29
Overview page 31, 49
Agent Status 55
Alert History pane 56
command 30
Count of Events pane 53
Database Maintenance pane 56
My Favorite Search pane 51
Repository Status 55
shortcut key 30
Top Agent Activity pane 52
P
Help Menu 31
Page Setup command 28
Page Size setting 42
Paste command 28
Pie Chart button 136
Polling Interval setting 223
Print command 28, 140
Print Preview command 28
Print to File command 28
Publishing reports to SRS 252
Purge options 244
I
R
Import Folder command 72
Import Search command 72
Info tab 77
Realm 23
Refresh command 29
Refresh Interval 77
Registry Auditing 187
Configuration Setup dialog 224
creating templates 188
page 190
wizard 192
Regulatory Compliance Reports 5
Report Options dialog 249
Report page 34
Reporting Services Setup dialog 254
Repository Configuration page 229
configuring email notifications 229
Group Expansion options 237
Repository Configuration Utility
Port page 266
Security page 264
Repository Credentials Required dialog 25
Repository Database Configurator command 261, 264
Repository Kerberos Realm 23
Repository Port 23, 266
G
Generating reports 247
through the ChangeAuditor Client 248
Global Catalog dialog 43
Global Catalog setting 42
Group expansion for SSIS pane 237
H
K
KnowledgeBase
command 151
tool bar button 151
L
Load on Startup command 261, 267
M
Manage Connection Profiles dialog 19
Managing connection profiles 18
Max events per connection setting 222
Menu bar 27
Monitoring the Application Event Log 222
Monitoring the Security Event Log 223
Monitoring the System Event Log 223
My Favorite Search pane 51
Index
282
Repository Status
command 260
Overview page 55
Window 261
Reset Display command 29
Retry Interval setting 222
Run Local Report command 248
Running searches 63
S
Schedule database maintenance 246
Search Limit setting 42
Search Properties tabs 76
Advanced 93
Alert 90
Info 77
SQL 92
What 80
When 88
Where 86
Who 78
Why 89
XML 92
Search Results page 33, 135
comparing results 139
displaying different formats 136
displaying knowledge base entry 137
previewing results 138
printing results 140
viewing event details 137
viewing results 136
viewing search properties 137
Searches page 32, 69
command 30
creating new custom searches 62
deleting alert history 68
disabling alerts 67
enabling alerts 65
Explorer view 71
generating built-in SRS report 248
publishing a series of reports to SRS 252
publishing a single report to SRS 252
running searches 63
setting a favorite search 64
shortcut key 30
viewing alert history 68
viewing list of searches 62
viewing SRS rendering of search definition 248
Security Event Log monitoring 223
Select a SQL Instance and Database dialog 204
Select Configuration dialog 228
Select One or More Directory Objects dialog 96
Select Template dialogs 227
Set As My Favorite command 75
Show Advanced Tab command 29
Show SQL Tab command 29
Show XML Tab command 29
Index
ChangeAuditor
Smart Alerts 91
SMTP alerts 65
SMTP Configuration pane 231
SNMP alerts 66
SQL Auditing Configuration dialog 205
SQL Auditing Wizard 202
SQL Reporting Services 4
publishing a series of reports 252
publishing a single report 252
SQL Server Auditing 197
Agent Configuration dialog 225
creating a template 198
page 200
wizard 202
SQL tab 92
SSIS Group Expansion settings 237
Starting the Client 16
Statistics
Agent Status Window 268
Repository Status Window 261
Status Window
Agent 268
Repository 261
System Event Log monitoring 223
System overview 9
System Tray icon
Agent 267
T
Technical Support 14
Top Agent Activity pane 52
U
Use Offline Knowledge Base command 29
Using the object picker 38
V
View Agent Log command 260
View Menu 30
View Repository Log command 261
Viewing event details 137
Viewing list of available searches 62
Viewing reports through ChangeAuditor Client 248
Viewing results 136
W
What tab 80
When tab 88
Where tab 86
Who tab 78
Why tab 89
Wizards
Audited Active Directory Objects 160
Connection 20
Database Maintenance 243
ChangeAuditor
283
Excluded Accounts 212
File Auditing 177
Registry Auditing 192
SQL Auditing 202
WMI alerts 67
X
XML tab 92
Index
Related documents
IE 450
IE 450
R116 Process control systems
R116 Process control systems
US-EDI-Teacher-Instruction-Sheet-for-software
US-EDI-Teacher-Instruction-Sheet-for-software
Step-by-Step Screenshots for the survey
Step-by-Step Screenshots for the survey
SysMLPlugIn
SysMLPlugIn
Download
advertisement