Gather Change Auditor events

Hello all,

I would like to ask if someone can provide a very high level bullets style guide with all the necessary steps on how i can gather and report events from CA. For example:

  • Install InTrust agent at CA server
  • From the InTrust manager go to Sites and configure the "All Change Auditor Coordinator computers"
  • ...
  • ...

Thank you.

  • Hi Alexandros,

    Which CA modules do you currently have deployed/licensed?

    Depending on which CA modules are in use will depict how to best manage your InTrust collections.

    Searching + scheduled reports are handled by Repository Viewer. Searching can also be done from IT Security Search if you have it deployed.

  • InTrust can collect any native Windows Event Log, including CA Windows Event Log generated by CA Agent on the audited Windows Server.
    (example) Audit DC. CAAD Agent is installed on DC. The CA agent settings turned on to generate generates CAAD Windows Event Log.
    InTrust Agent collects CAAD Windows Event Log (alone with Security, System, Application event logs etc.) into \\Share\Repository for Long term storage "untampered platform log"
    Now you can view the \\Repository via (a) InTrust Repository Viewer UI - raw Event Log, (b) ITSearch UI (analytics etc.) .
  • Hi Alexandros,

    Three answers are better than one, so I also have a try. :)

    InTrust has now two different ways of collecting events and three ways to analyze them.
    Since you mentioned InTrust Manager objects, I will describe a "traditional" scheduled gathering.
    In InTrust Manager there's a lot of types of configuration objects, and they should be populated and bound with each other to start working. Out of the box InTrust has predefined objects that are already bound, and in general case you just need to populate the site with network objects and enable a task.

    Gathering is driven by tasks. Inside the task resides one or several jobs.
    Let's focus on "CA for AD" objects.
    In InTrust Manager open "Workflow/Tasks/Change Auditor for Active Directory/Change Auditor for Active Directory: Scheduled log gathering and reporting".
    In the right pane you will see three jobs that belong to this task.

    The first job is "Change Auditor for AD log gathering". If you click on "Gathering" at the bottom of the right pane, you'll see that the job uses "Change Auditor for Active Directory: All Events" policy, gathers from "Domain Controllers (installed Change Auditor for Active Directory service)" site, and sends events to Default InTrust Repository and Default InTrust Database (you may use different). All that you definitely MUST do here is to populate the site with computers from your environment. Open the site "Configuration/Sites/Microsoft Windows Network/Domain Controllers (installed Change Auditor for Active Directory service)" properties and on the "Objects" tab add your DCs separately by names or using "All Domain Controllers in..." object. Also make sure that the account that you use for InTrust services has administrative rights on that DCs, otherwise specify such account on site's "Accounts" tab.

    The second job in the task is SSRS reporting "Change Auditor for AD report compilation", should be already populated with reports which you may see (and pick) on "Reporting" tab. On the "Delivery" tab you may choose the delivery method, most common is upload a resulting report to InTrust Report share.

    The third job is "Default Audit Database Cleanup". The database with events may grow very fast, it's recommended to use it only for report compilation and then clean-up everything.

    Since you reviewed all jobs in the task and populated the site with your DCs, everything is ready to start gathering. Open the "Change Auditor for Active Directory: Scheduled log gathering and reporting" task properties, modify the schedule if needed (daily by default) and set "Schedule Enabled". Go to InTrust Manager root and "Right Click/Commit" your changes. When the task starts on schedule, it goes to DCs, installs agents, sends jobs to them according to the gathering policy, gathers events to the specified storage (repository and/or database), prepares reports on SSRS, upload them to a share, and cleans-up the db.

    In the similar way you can use all other predefined tasks, "CA for File Servers" for example.
    As I mentioned in the beginning and also as Chris said, there are other ways to collect and analyze CA events, we have InTrust Deployment Manager that uses only Repository and look much simpler than the object model in InTrust Manager, we have Repository Viewer that can prepare simple (plain) reports without SSRS, and also we have IT Security Search product that can access CA database directly, but these are another stories.
  • Thank you very much all of you.

    So if i want to gather CA events i must point (through a Site) the machines with the CA agents and not the CA server itself. There i was a little confused.