Howdy. Curious if Change Auditor has a mechanism to programmatically retrieve search results. The PowerShell module seems more for management of Change Auditor and I've not found any information on a REST or SOAP interface. Wondering if this functionality exists?
Chad
Change Auditor now has the ability to export events to Splunk where they can then be programmatically acquired from that platform.
Also, it can post events to a WMI interface on the Change Auditor Coordinator. This is probably more practical for alerting type scenarios rather than bulk acquisition of Search results.
Here's what a sample WMI-posted event looks like: (more comments below the sample event)
__GENUS : 2
__CLASS : CAAD_Event
__SUPERCLASS :
__DYNASTY : CAAD_Event
__RELPATH : CAAD_Event.EventID="381de601-7cc4-a357-676a-786052653a12"
__PROPERTY_COUNT : 124
__DERIVATION : {}
__SERVER : ARS69
__NAMESPACE : ROOT\Dell\ChangeAuditor
__PATH : \\ARS69\ROOT\Dell\ChangeAuditor:CAAD_Event.EventID="381de601-7cc4-a357-676a-786052653a12"
Action : ActionModAttribute
ADAMAttributeName :
ADAMConfigurationSet :
ADAMInstanceName :
ADAMObjectCanonical :
ADAMObjectClass :
ADAMObjectName :
ADAMObjectOU :
ADAMPartitionName :
Agent : COMPANYA-DC
AgentID : 66c71eb5-a583-4421-9e3c-cf61bc67c14a
AgentType : DC
Attribute : mail
Comment :
Description :
DirectoryObjectCanonical : companya.local/Train/Student11User
DirectoryObjectID : 364b24f7-2922-4177-995c-5257a14395f7
DirectoryObjectName : companya.local/Train/Student11User
DirectorySignSeal : true
DirectorySslTls : false
DomainName : COMPANYA
EventClassID : 345b9516-b56e-4c55-8046-ba7521e71048
EventClassLink :
EventID : 381de601-7cc4-a357-676a-786052653a12
EventSource : Change Auditor
Facility : FacilityCustomObjectMonitoring
FileName :
FileServer :
FileSystemTypeID : 0
FolderPath :
ForestName : companya.local
FromValue : student11@companya.local
InitiatorSID :
InitiatorUserName :
LDAPQueryAttributes :
LDAPQueryElapsed : 0
LDAPQueryFilter :
LDAPQueryObjectCanonical : compooanya.local/Train/Student11User
LDAPQueryOccurrences : 0
LDAPQueryResults : 0
LDAPQueryScope :
LDAPQuerySince :
LDAPQueryType :
LogonID :
Message : mail attribute was changed for user companya.local/Train/Student11User
MissingNew : False
MissingOld : False
ObjectClass : user
ObjectName : companya.local/Train/Student11User
OrganizationalUnit : Train
OSVersion : Windows Server 2008 R2 Enterprise
ParentDirectoryObjectID : 29c79a42-86f7-411f-ae47-0e211e48415f
PolicyItem :
PolicyName :
Po
licySection :
PrimarySID :
PrincipalName :
PrincipalType : 0
ProcessName :
RegistryKey :
RegistryValue :
ResultID : 1
ResultName : ResultSuccess
SamAccountName :
SCOMSeverity : 1
ServiceDisplayName :
ServiceName :
SeverityName : SeverityMedium
ShareName :
SharePointFarmName :
SharePointItemName :
SharePointItemURL :
SharePointListName :
SharePointListPath :
SharePointWebName :
SharePointWebURL :
SiteName : Default-First-Site-Name
SQLApplicationName :
SQLClientProcessID : 0
SQLDatabaseID : 0
SQLDatabaseName :
SQLEventClass : 0
SQLEventSubClass : 0
SQLHostName :
SQLInstanceName :
SQLIsSystem : 0
SQLLinkedServerName :
SQLObjectID : 0
SQLObjectID2 : 0
SQLObjectType : 0
SQLOwnerID : 0
SQLOwnerName :
SQLParentName :
SQLProviderName :
SQLRowCounts : 0
SQLSessionLoginName :
SQLSPID : 0
SQLSuccess : 0
SQLTextData :
SubSystem : Directory
TimeDetected : 2016-05-18T20:40:33.308Z
TimeOfDay : 1240
TimeReceived : 2016-05-18T20:40:41.630Z
TimeZoneOffset : -420
ToValue : student11a@companya.local
TransactionID :
TransactionStatus :
UserAccount :
UserAddress : ARS69
UserAddressIPv4 : 192.168.1.40
UserAddressIPv6 : fe80::7161:2645:c8ae:98ba
UserDisplay : ActiveRoles Mailbox
UserDomain :
UserName : COMPANYA\svc_ars
UserPrincipalName :
UserSID : S-1-5-21-3587032830-3613793534-2785258752-3403
VMWareComputeResource :
VMWareDataCenter :
VMWareDS :
VMWareDVS :
VMWareHost :
VMWareNet :
VMWareVM :
VMWareVMWareHostName :
PSComputerName : ARS69
If you describe your use case in a bit more detail, perhaps other suggestions can be provided.
Thanks for the quick response Johnny.
Here's a little background on the specific use case. We have a custom web portal for our Service Desk and Deskside teams which provides various tools and reporting in once place with a consistent user interface. The goal is to add a page which allows these teams to enter a username to query Change Auditor for the origin of recent account lockouts.
Chad
Thanks for the quick response Johnny.
Here's a little background on the specific use case. We have a custom web portal for our Service Desk and Deskside teams which provides various tools and reporting in once place with a consistent user interface. The goal is to add a page which allows these teams to enter a username to query Change Auditor for the origin of recent account lockouts.
Chad
Hmmm... do you have strong objections to creating a shared query in the CA web client and then just put a link to this in your portal?
I'm not familiar with the terminology but there was a custom dashboard created on the CA website which provided the desired information but there were some reservations that having to login in CA, maximize query window and filter the results would hinder adoption. Running the traps to vet all the options.
Chad
