Dell Change Auditor 6.5. Event Reference Guide

Transcription

1 Dell Change Auditor 6.5

2 2014 Dell Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser s personal use without the written permission of Dell Inc. The information in this document is provided in connection with Dell products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Dell products. EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, DELL ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL DELL BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF DELL HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Dell makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Dell does not make any commitment to update the information contained in this document. If you have any questions regarding your potential use of this material, contact: Dell Inc. Attn: LEGAL Dept 5 Polaris Way Aliso Viejo, CA Refer to our web site (software.dell.com) for regional and international office information. Patents This product is protected by U.S. Patents # 7,979,494; 8,185,598; 8,266,231; and 8,650,578. Additional Patents Pending. Trademarks Dell, the Dell logo, GPOADmin, SonicWALL and InTrust are trademarks of Dell Inc. Microsoft, Active Directory, ActiveSync, Excel, Internet Explorer, Lync, Office 365, OneDrive, Outlook, SharePoint, SQL Server, Windows, Windows PowerShell and Windows Server are either registered trademarks or trademarks of the Microsoft Corporation in the United States and/or other countries. Linux is a registered trademark of Linus Torvalds in the United States, other countries. EMC, Celerra, Isilon, VNX, and VNXe are registered trademarks of EMC Corporation. VMware, ESX, ESXi, and vcenter are registered trademarks or trademarks of VMware, Inc. in the United States or other countries. Safari and icloud are registered trademarks of Apple Inc. Amazon Cloud Drive is a trademark of Amazon.com, Inc. or its affiliates. Blackberry and related trademarks, names and logos are the property of Research In Motion Limited and are registered and/or used in the U.S. and countries around world. Used under license from Research In Motion Limited. Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products. Dell disclaims any proprietary interest in the marks and names of others. Legend CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed. WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death. IMPORTANT NOTE, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information. Change Auditor Updated - July 2014 Software Version - 6.5

3 Contents Introduction Change Auditor Events Change Auditor Internal Auditing Custom Registry Monitoring Fault Tolerance Local Group Monitoring Local User Monitoring Service Monitoring System Events VMware Account VMware Alarm VMware Authorization VMware Cluster VMware Custom Field VMware Datacenter VMware DataStore VMware DVPortgroup VMware Dvs VMware Generic VMware Host VMware License VMware Profile VMware Resource Pool VMware Scheduled Task VMware Session VMware Task VMware Upgrade VMware Upgrade VMware Virtual Machine Log Events Change Auditor Coordinator Service event log Change Auditor Service event log Registry events Local Groups events Service events About Dell Contacting Dell Technical Support Resources

4 1 Introduction Dell Change Auditor provides total auditing and security coverage for the enterprise including Active Directory, Exchange, Windows file servers, SQL Server, NetApp filers, EMC file servers, VMware vcenter, SharePoint, and Microsoft Lync. Change Auditor audits the activities taking place in your infrastructure and, with real-time alerts, delivers detailed information about vital changes and activities as they occur. Instantly know who made the change including the IP address of the originating workstation, where and when it occurred along with before and after values. Then automatically turn that information into intelligent, in-depth forensics for auditors and management and reduce the risks associated with day-to-day operations. Change Auditor uses a modular approach which allows for separate product deployment and management for key environments including: Active Directory Active Directory Query EMC Exchange Logon Activity Lync NetApp SharePoint SQL Server Windows File Servers Additional Change Auditor auditing modules allow you to track, audit, report and alert on critical changes made using the following Dell products: Dell One Identity Authentication Services Dell One Identity Defender Dell SonicWALL NOTE: Each of these Change Auditor auditing modules require a separate license in order to capture their associated events. In addition to real-time event auditing, you can also enable event logging to capture many of the Change Auditor events locally in a Windows event log. These event logs can then be collected using Dell InTrust to satisfy long-term storage requirements. This document lists the core audited events available in Change Auditor regardless of the Change Auditor product license that is applied. Separate event reference guides are provided which list the additional events that are available when the different Change Auditor auditing modules are licensed. The following is a complete list of Change Auditor event reference guides. Refer to the appropriate guide for the events available with each Change Auditor license. Dell Change Auditor Dell Change Auditor for Active Directory Dell Change Auditor for Exchange 4

5 Dell Change Auditor for Windows File Servers Dell Change Auditor for EMC Dell Change Auditor for NetApp Dell Change Auditor for SQL Server Dell Change Auditor for Dell Authentication Services Dell Change Auditor for Defender Dell Change Auditor for SharePoint Dell Change Auditor for Logon Activity Dell Change Auditor for SonicWALL Dell Change Auditor for Lync 5

6 2 Change Auditor Events This chapter lists the audited events available in Change Auditor regardless of the Change Auditor product license that is applied. Audited events are listed in alphabetical order by facility: Change Auditor Internal Auditing Custom Registry Monitoring Fault Tolerance Local Group Monitoring Local User Monitoring Service Monitoring System Events VMware Account VMware Alarm VMware Authorization VMware Cluster VMware Custom Field VMware Datacenter VMware DataStore VMware DVPortgroup VMware Dvs VMware Generic VMware Host VMware License VMware Profile VMware Resource Pool VMware Scheduled Task VMware Session VMware Task VMware Upgrade VMware Upgrade VMware Virtual Machine IMPORTANT: When expecting large numbers of events, it may be necessary to increase the Max Events per Connection setting in the Change Auditor client (Agent Configuration on the Administration Tasks tab) to avoid an ever-increasing backlog of events waiting to be sent from the agent to the coordinator database. 6

7 NOTE: To view a complete list of all the Change Auditor events, open the Audit Events page on the Administration Tasks tab in the Change Auditor client. This page contains a list of all the events available for auditing by Change Auditor. It also displays the facility to which the event belongs, the severity assigned to each event, if the event is enabled or disabled, and the type of Change Auditor license that is required to capture each event. NOTE: For more information about an audited event, access the Change Auditor knowledge base by rightclicking an event in a Search Results page or Audit Events page (Administration Tasks tab), and selecting the Knowledge Base menu command. The Change Auditor knowledge base entries include information about how Change Auditor detected the event, what the changed parameter controls, and the consequences of such a change. Change Auditor Internal Auditing Table 1. Change Auditor Internal Auditing events Active Directory Protection Added Active Directory Protection Changed Active Directory Protection Disabled Active Directory Protection Enabled Active Directory Protection Removed AD Query Container Added AD Query Container Disabled AD Query Container Enabled AD Query Container Removed ADAM Attribute Severity Changed ADAM Monitoring Point Added ADAM Monitoring Point Removed ADAM Monitoring Scope Disabled ADAM Monitoring Scope Enabled ADAM Protection Added Created when an Active Directory protection template is added to Change Auditor. Created when an Active Directory protection template is modified. Created when an Active Directory protection template is disabled. Created when an Active Directory protection template is enabled. Created when an Active Directory protection template is removed from Change Auditor. Created when a container is added to the Excluded AD Query list. Created when a container is disabled on the Excluded AD Query list. Created when a container is enabled on the Excluded AD Query list. Created when a container is removed from the Excluded AD Query list. Created when the severity for a monitored ADAM (AD LDS) attribute is changed. Created when an ADAM (AD LDS) instance and associated object classes are added to the Change Auditor auditing scope. Created when an ADAM (AD LDS) instance and associated object classes are removed from the Change Auditor auditing scope. Created when the auditing of an ADAM (AD LDS) object is disabled. Created when the auditing of an ADAM (AD LDS) object is enabled. Created when an ADAM (AD LDS) protection template is added to Change Auditor. 7

8 Table 1. Change Auditor Internal Auditing events ADAM Protection Changed ADAM Protection Disabled ADAM Protection Enabled ADAM Protection Removed Administration Account Added to Active Directory Protection Administration Account Added to Group Policy Protection Administration Account Removed from Active Directory Protection Administration Account Removed from Group Policy Protection Agent Added to EMC Auditing Agent Added to Exchange Online Auditing Created when an ADAM (AD LDS) protection template is modified. Created when an ADAM (AD LDS) protection template is disabled. Created when an ADAM (AD LDS) protection template is enabled. Created when an ADAM (AD LDS) protection template is removed from Change Auditor. Created when an administration account is added to an Active Directory protection template. Created when an administration account is added to a Group Policy protection template. Created when an administration account is removed from an Active Directory protection template. Created when an administration account is removed from a Group Policy protection template Created when a Change Auditor agent is added to an EMC Auditing template. Created when a Change Auditor agent is added to an Exchange Online Auditing template. Agent Added to NetApp Auditing Created when a Change Auditor agent is added to a NetApp Auditing template. Agent Added to SharePoint Auditing Agent Added to VMware Auditing Agent Configuration AD Query Delay Changed Agent Configuration AD Query Elapsed Changed Agent Configuration AD Query Results Changed Agent Configuration Added Agent Configuration Agent Load Threshold Changed Agent Configuration Assignment Changed Agent Configuration Connection Days Changed Created when a Change Auditor agent is added to a SharePoint Auditing template. Created when a Change Auditor agent is added to a VMware Auditing template. Created when the AD Query auditing delay setting (Discard duplicate queries that occur within nn minutes) is changed for an agent configuration definition. (AD Query tab on the Configuration Setup dialog.) Created when the AD Query auditing elapsed setting (Discard queries taking less than nn milliseconds) is changed for an agent configuration definition. (AD Query tab on the Configuration Setup dialog.) Created when the AD Query auditing results setting (Discard query results less than nn records) is changed for an agent configuration definition. (AD Query tab on the Configuration Setup dialog.) Created when a new agent configuration definition is added to Change Auditor. Created when the agent load threshold for an agent configuration definition is modified. (System Settings tab on the Configuration Setup dialog.) Created when the configuration assignment for a Change Auditor agent is changed. Created when the allowed connection days setting is changed for an agent configuration definition. (System Settings tab on the Configuration Setup dialog.) 8

9 Table 1. Change Auditor Internal Auditing events Agent Configuration Connection From Time Changed Agent Configuration Connection To Time Changed Agent Configuration Exchange Auditing Delay Changed Agent Configuration File System Auditing Changed Agent Configuration File System Auditing Delay Changed Agent Configuration Forwarding Interval Changed Agent Configuration Max Events per Connection Changed Agent Configuration Polling Interval Changed Agent Configuration Removed Agent Configuration Renamed Agent Configuration Retry Interval Changed Agent Configuration SonicWALL AppFlow Port Changed Agent Configuration SonicWALL Data Cache Interval Changed Agent Configuration SonicWALL Processing Idle Time Changed Agent Configuration SonicWALL Processing Interval Changed Agent Configuration SonicWALL Purge Idle Time Changed Created when the allowed connection from time setting is changed for an agent configuration definition. (System Setting tab on the Configuration Setup dialog.) Created when the allowed connection to time setting is changed for an agent configuration definition. (System Settings tab on the Configuration Setup dialog.) Created when the Exchange Events setting (Discard duplicates that occur within nn seconds) is changed for an agent configuration definition. (Exchange tab on the Configuration Setup dialog.) Created when the file system auditing setting (Audit all configured, including duplicates) is changed for an agent configuration definition. (Exchange tab on the Configuration Setup dialog.) Created when the file system auditing delay setting (Discard duplicates that occur within nn seconds) is changed for an agent configuration definition. (Exchange tab on the Configuration Setup dialog.) Created when the forwarding interval is changed in a Change Auditor Agent configuration definition. (System Settings tab on the Configuration Setup dialog.) Created when the maximum events per connection setting is changed for an agent configuration definition. (System Settings tab on the Configuration Setup dialog.) Created when the polling interval is changed for an agent configuration definition. (System Settings tab on the Configuration Setup dialog.) Created when an agent configuration definition is removed from Change Auditor. Created when an agent configuration is renamed in Change Auditor. Created when the retry interval is changed for an agent configuration definition. (System Settings on the Configuration Setup dialog.) Created when the AppFlow port is changed for an agent configuration definition. (SonicWALL tab on the Configuration Setup dialog.) Created when the Data Cache Interval setting is changed for an agent configuration definition. (SonicWALL tab on the Configuration Setup dialog.) Created when the Processing Idle Time setting is changed for an agent configuration definition. (SonicWALL tab on the Configuration Setup dialog.) Created when the Processing Interval setting is changed for an agent configuration definition. (SonicWALL tab on the Configuration Setup dialog.) Created when the Purge Idle Time setting is changed for an agent configuration definition. (SonicWALL tab on the Configuration Setup dialog.) 9

10 Table 1. Change Auditor Internal Auditing events Agent Configuration SonicWALL Purge Interval Changed Agent Configuration VMware Polling Interval Changed Agent Heartbeat Check Disabled Agent Heartbeat Check Enabled Agent Heartbeat Check Minutes Changed Agent Removed from EMC Auditing Agent Removed from Exchange Online Auditing Agent Removed from NetApp Auditing Agent Removed from SharePoint Auditing Agent Removed from VMware Auditing Agent Service has more than 100 Events Waiting Agent Service has Reached a Critical Load Agent Service has Returned to Normal Operations Attribute Added to Active Directory Protection Attribute Added to ADAM Monitoring Attribute Added to ADAM Protection Attribute Added to Monitoring Attribute Removed from Active Directory Protection Attribute Removed from ADAM Monitoring Attribute Removed from ADAM Protection Attribute Removed from Monitoring Created when the Purge Interval setting is changed for an agent configuration definition. (SonicWALL tab on the Configuration Setup dialog.) Created when the VMware polling interval is changed for an agent configuration definition. (VMware tab on the Configuration Setup dialog.) Created when the Coordinator should try to restart agent service if an agent goes offline check box is cleared in the Agent Heartbeat Check pane of the Coordinator Configuration page. Created when the Coordinator should try to restart agent service if an agent goes offline check box is selected in the Agent Heartbeat Check pane of the Coordinator Configuration page. Created when the Agent Heartbeat Check setting (Agent goes offline after being inactive for nn minutes) on the Coordinator Configuration page is modified. Created when a Change Auditor agent is removed from an EMC Auditing template. Created when a Change Auditor agent is removed from an Exchange Online Auditing template. Created when a Change Auditor agent is removed from a NetApp Auditing template. Created when a Change Auditor agent is removed from a SharePoint Auditing template. Created when a Change Auditor agent is removed from a VMware Auditing template. Created when the agent has more than 100 events waiting. Created when the agent has reached a critical load and one or more events may have been lost. Created when the agent has returned to normal operations. Created when an individual attribute is added to an Active Directory protection template. Created when an attribute is added to an ADAM (AD LDS) object s auditing scope in Change Auditor. Created when an attribute is added to an ADAM (AD LDS) protection template. Created when an attribute is added to a directory object s auditing scope in Change Auditor. Created when an attribute is removed from an Active Directory protection template. Created when an attribute is removed from an ADAM (AD LDS) object s auditing scope in Change Auditor. Created when an attribute is removed from an ADAM (AD LDS) protection template. Created when an attribute is removed from an object s auditing scope in Change Auditor. High 10

11 Table 1. Change Auditor Internal Auditing events Attribute Severity Changed Created when the severity for an attribute is changed on the Attribute Auditing page in the Administration Tasks tab. Audit Event Description Changed Created when the description is changed for a Change Auditor audited event. Audit Event Disabled Created when an event is disabled. Audit Event Enabled Created when an event is enabled. Audit Event Results Changed Created when the results setting for an audit event is changed on the Audit Events page. Audit Event Severity Changed Created when the severity level for a Change Auditor audit event is changed. Auditing Disabled for EMC Path Created when auditing of an individual audit path (i.e., file, folder or volume) is disabled in an EMC Auditing template. Auditing Disabled for File System Path Auditing Disabled for NetApp Path Auditing Disabled for Registry Object Auditing Disabled for Service Auditing Disabled for SharePoint Path Auditing Disabled for SonicWALL Cloud Storage Site Auditing Disabled for SonicWALL Web Site Path Auditing Disabled for SQL Instance Auditing Enabled for EMC Path Auditing Enabled for File System Path Auditing Enabled for NetApp Path Auditing Enabled for Registry Object Auditing Enabled for Service Auditing Enabled for SharePoint Path Auditing Enabled for SonicWALL Cloud Storage Site Created when auditing of an individual file path is disabled in a File System Auditing template. Created when auditing of an individual audit path (i.e., file, folder or volume) is disabled in a NetApp Auditing template. Created when auditing of an individual registry object is disabled in a Registry Auditing template. Created when auditing of an individual service is disabled in a Service Auditing template. Created when auditing of an individual SharePoint path is disabled in a SharePoint Auditing template. Created when auditing of an individual cloud storage site is disabled in a SonicWALL Cloud Storage Auditing template. Created when auditing of an individual web site url is disabled in a SonicWALL Web Site Auditing template. Created when auditing of an individual SQL instance is disabled in a SQL Auditing template. Created when auditing of an individual audit path (i.e., file, folder or volume) is enabled in an EMC Auditing template. Created when auditing of an individual file path is enabled in a File System Auditing template. Created when auditing of an individual audit path (i.e., file, folder or volume) is disabled in a NetApp Auditing template. Created when auditing of an individual registry object is enabled in a Registry Auditing template. Created when auditing of an individual service is enabled in a Service Auditing template. Created when auditing of an individual SharePoint path is enabled in a SharePoint Auditing template. Created when auditing of an individual cloud storage site is enabled in a SonicWALL Cloud Storage Auditing template. 11

12 Table 1. Change Auditor Internal Auditing events Auditing Enabled for SonicWALL Web Site Path Auditing Enabled for SQL Instance Created when auditing of an individual web site url is enabled in a SonicWALL Web Site Auditing template. Created when auditing of an individual SQL instance is enabled in a SQL Auditing template. Dell Change Auditor Agent Restarted Created when a Change Auditor agent is restarted. Dell Change Auditor Agent Set Uninstalled Created when a Change Auditor agent is set as uninstalled. Dell Change Auditor Agent Started Created when a Change Auditor agent is started. Dell Change Auditor Agent Stopped Created when a Change Auditor agent is stopped. Dell Change Auditor Coordinator Set Uninstalled Reply To Changed Subject Changed Created when a Change Auditor coordinator is set as uninstalled. Created when the Reply To address is changed in the SMTP Configuration pane of the Coordinator Configuration page. Created when the Subject line is changed in the SMTP Configuration pane of the Coordinator Configuration page. EMC Auditing cepp.conf Changed Created when the cepp.conf configuration file is changed using the EMC Auditing wizard. EMC Auditing Added Created when a new EMC Auditing template is added to Change Auditor. EMC Auditing Disabled Created when an EMC Auditing template is disabled. EMC Auditing Enabled Created when an EMC Auditing template is enabled. EMC Auditing Removed Created when an EMC Auditing template is removed from Change Auditor. EMC Path Added to Auditing EMC Path Changed in Auditing EMC Path Removed from Auditing Event Logging Changed Exchange Container Added to Protection Exchange Container Removed from Protection Exchange Mailbox Added to Monitoring Exchange Mailbox Attribute Changed Exchange Mailbox Disabled Exchange Mailbox Enabled Created when an audit path (i.e., file, folder or volume) is added to an EMC Auditing template. Created when an audit path (i.e., file, folder or volume) is changed in an EMC Auditing template. Created when an audit path (i.e., file, folder or volume) is removed from an EMC Auditing template. Created when event logging is modified (enabled or disabled) in Change Auditor. Created when an Exchange container is added to an Exchange Mailbox Protection template. Created when an Exchange container is removed from an Exchange Mailbox Protection template. Created when an Exchange mailbox is added to the Exchange Mailbox Auditing list. Created when the scope of coverage or the Non-owner vs. Non-owner or Owner value is changed for a directory object that is included in the Exchange Mailbox Auditing list. Created when the auditing of a directory object s mailbox is disabled in the Exchange Mailbox Auditing list. Created when the auditing of a directory object s mailbox is enabled in the Exchange Mailbox Auditing list. 12

13 Table 1. Change Auditor Internal Auditing events Exchange Mailbox Removed from Monitoring Created when an Exchange mailbox is removed from the Exchange Mailbox Auditing list. Exchange Online Auditing Added Created when an Exchange Online Auditing template is added to Change Auditor. Exchange Online Auditing Disabled Exchange Online Auditing Enabled Exchange Online Auditing Removed Exchange Online Mailbox Added to Monitoring Exchange Online Mailbox Removed from Monitoring Exchange Password Changed Exchange Protection Added Exchange Protection Disabled Exchange Protection Enabled Exchange Protection Removed Exchange Shared Mailbox Auto Detection Disabled Exchange Shared Mailbox Auto Detection Enabled Exchange User Defined Shared Mailbox Added Exchange User Defined Shared Mailbox Attribute Changed Exchange User Defined Shared Mailbox Disabled Exchange User Defined Shared Mailbox Enabled Exchange User Defined Shared Mailbox Removed Excluded Account Added to Exclusion Accounts List Excluded Account Event Class Added to Monitoring Excluded Account Event Class Removed from Monitoring Excluded Account Facility Added to Monitoring Created when an Exchange Online Auditing template is disabled. Created when an Exchange Online Auditing template is enabled. Created when an Exchange Online Auditing template is removed from Change Auditor. Created when an Exchange Online mailbox is added to an Exchange Online Auditing template. Created when an Exchange Online mailbox is removed from an Exchange Online Auditing template. Created when the password associated with the Exchange host specified in the SMTP Configuration pane of the Coordinator Configuration page is modified. Created when an Exchange Mailbox Protection template is added to Change Auditor. Created when an Exchange Mailbox Protection template is disabled. Created when an Exchange Mailbox Protection template is enabled. Created when an Exchange Mailbox Protection template is removed from Change Auditor. Created when the automatic detection of shared mailboxes feature is disabled in Change Auditor. Created when the automatic detection of shared mailboxes feature is enabled in Change Auditor. Created when a shared mailbox is added to the Exchange Mailbox Auditing list. Created when the scope of coverage or the Non-owner vs. Non-owner or Owner value is modified for a shared mailbox that is included in the Exchange Mailbox auditing list. Created when the auditing of a shared mailbox is disabled in the Exchange Mailbox Auditing list. Created when the auditing of a shared mailbox is enabled in the Exchange Mailbox Auditing list. Created when a shared mailbox is removed from the Exchange Mailbox Auditing list. Created when an excluded account is added to the Change Auditor auditing scope. Created when a new event is added to an Excluded Accounts template. Created when an event is removed from an Excluded Accounts template. Created when a facility (including all of the events in the facility) is added to an Excluded Accounts template. 13

14 Table 1. Change Auditor Internal Auditing events Excluded Account Facility Removed from Monitoring Excluded Account Removed from Exclusion Accounts List Excluded Account Added Excluded Account Added to Agent Configuration Excluded Account Removed Excluded Account Removed From Agent Configuration File Protection Added to Agent Configuration File System Auditing Added File System Auditing Added to Agent Configuration File System Auditing Disabled File System Auditing Enabled File System Auditing Removed File System Auditing Removed from Agent Configuration File System Path Added to Auditing File System Path Added to Protection File System Path Changed in Auditing File System Path Changed in Protection File System Path Removed from Auditing File System Path Removed from Protection File System Protection Added File System Protection Disabled File System Protection Enabled File System Protection Removed Created when a facility (including all of the events in the facility) is removed from an Excluded Accounts template. Created when an excluded account is removed from the Change Auditor auditing scope. Created when an Excluded Accounts template is added to Change Auditor. Created when an Excluded Accounts template is added to an agent configuration definition in Change Auditor. Created when an Excluded Accounts template is removed from Change Auditor. Created when an Excluded Accounts template is removed from an agent configuration in Change Auditor. Created when a File System Protection template is added to an agent configuration definition. Created when a File System Auditing template is added to Change Auditor. Created when a File System Auditing template is added to an agent configuration definition in Change Auditor. Created when a File System Auditing template is disabled. Created when a File System Auditing template is enabled. Created when a File System Auditing template is removed from Change Auditor. Created when a File System Auditing template is removed from an agent configuration definition. Created when a file path is added to a File System Auditing template. Created when a file path is added to a File System Protection template. Created when a file path is changed in a File System Auditing template. Created when a file system path is changed in a File System Protection template. Created when a file path is removed from a File System Auditing template. Created when a file path is removed from a File System Protection template. Created when a File System Protection template is added to Change Auditor. Created when a File System Protection template is disabled. Created when a File System Protection template is enabled. Created when a File System Protection template is removed from Change Auditor. High High High High 14

15 Table 1. Change Auditor Internal Auditing events File System Protection Removed from Agent Configuration Group Added for Group Membership Expansion Group Added to "Member Of Group" Monitoring Group Membership Expansion Changed Group Policy Added to Protection Group Policy Changed in Protection Group Policy Protection Added Group Policy Protection Disabled Group Policy Protection Enabled Group Policy Protection Removed Group Policy Removed from Protection Group Removed from Group Membership Expansion Group Removed from "Member Of Group" Monitoring Host Added to VMware Auditing Host Removed from VMware Auditing Monitoring Point Added Monitoring Point Removed Created when a File System Protection template is removed from an agent configuration definition. Created when a group is added to the group membership expansion list on the Coordinator Configuration page in Change Auditor. Created when a group is added to the Member of Group Auditing list. Created when the group membership expansion option is changed on the Coordinator Configuration page in Change Auditor. Created when a group policy is added to a Group Policy Protection template. Created when a group policy is changed in a Group Policy Protection template. Created when a Group Policy Protection template is added to Change Auditor. Created when a Group Policy Protection template is disabled. Created when a Group Policy Protection template is enabled. Created when a Group Policy Protection template is removed from Change Auditor. Created when a group policy is removed from a Group Policy Protection template. Created when a group is removed from the group membership expansion list on the Coordinator Configuration page in Change Auditor. Created when a group is removed from the Member of Group Auditing list. Created when a host is added to a VMware Auditing template. Created when a host is removed from a VMware Auditing template Created when an additional (custom) Active Directory object is added to the Change Auditor auditing scope. Created when an additional (custom) Active Directory object or object class is removed from the Change Auditor auditing scope. Monitoring Scope Disabled Created when the auditing of a directory object is disabled on the Active Directory Auditing page. Monitoring Scope Enabled Created when the auditing of a directory object is enabled on the Active Directory Auditing page. NetApp Auditing Added Created when a new NetApp Auditing template is added to Change Auditor. NetApp Auditing Disabled Created when a NetApp Auditing template is disabled. NetApp Auditing Enabled Created when a NetApp Auditing template is enabled. NetApp Auditing Removed Created when a NetApp Auditing template is removed from Change Auditor. 15

16 Table 1. Change Auditor Internal Auditing events NetApp Path Added to Auditing NetApp Path Changed in Auditing NetApp Path Removed from Auditing Object Added to Active Directory Protection Object Added to ADAM Protection Object Changed in Active Directory Protection Object Changed in ADAM Protection Object Removed from Active Directory Protection Object Removed from ADAM Protection Override Account Added to Active Directory Protection Override Account Added to ADAM Protection Override Account Added to Exchange Protection Override Account Added to File System Protection Override Account Added to Group Policy Protection Override Account Removed from Active Directory Protection Override Account Removed from ADAM Protection Override Account Removed from Exchange Protection Override Account Removed from File System Protection Override Account Removed from Group Policy Protection Override Accounts Active Directory Protection Allow Override Accounts Active Directory Protection Deny Override Accounts ADAM Protection Allow Created when an audit path (i.e., file, folder or volume) is added to a NetApp Auditing template. Created when an audit path is changed in a NetApp Auditing template. Created when an audit path (i.e., file, folder or volume) is removed from a NetApp Auditing template. Created when an object is added to an Active Directory Protection template. Created when an object is added to an ADAM (AD LDS) Protection template. Created when an object is modified in an Active Directory Protection template. Created when an object is modified in an ADAM (AD LDS) Protection template. Created when an object is removed from an Active Directory Protection template. Created when an object is removed from an ADAM (AD LDS) Protection template. Created when an override account is added to an Active Directory Protection template. Created when an override account is added to an ADAM Protection template. Created when an override account is added to an Exchange Protection template. Created when an override account is added to a File System Protection template. Created when an override account is added to a Group Policy Protection template. Created when an override account is removed from an Active Directory Protection template. Created when an override account is removed from an ADAM Protection template. Created when an override account is removed from an Exchange Protection template. Created when an override account is removed from a File System Protection template. Created when an override account is removed from a Group Policy Protection template. Created when the override accounts in an Active Directory protection template are set to allow (specifying that accounts are to be excluded from protection). Created when the override accounts in an Active Directory protection template are set to deny (specifying that accounts are to be included in protection). Created when the override accounts in an ADAM protection template are set to allow (specifying that accounts are to be excluded from protection). 16

17 Table 1. Change Auditor Internal Auditing events Override Accounts ADAM Protection Deny Override Accounts Exchange Protection Allow Override Accounts Exchange Protection Deny Override Accounts File System Protection Allow Override Accounts File System Protection Deny Override Accounts Group Policy Protection Allow Override Accounts Group Policy Protection Deny Private Report Disabled Private User Alert Disabled Process Added to File System Auditing Process Removed from File System Auditing Protection Disabled for Active Directory Object Protection Disabled for ADAM Object Protection Disabled for File System Path Protection Enabled for Active Directory Object Protection Enabled for ADAM Object Protection Enabled for File System Path Protection for Exchange Container Disabled Protection for Exchange Container Enabled Protection for Group Policy Disabled Created when the override accounts in an ADAM protection template are set to deny (specifying that accounts are to be included in protection). Created when the override accounts in an Exchange protection template are set to allow (specifying that accounts are to be excluded from protection). Created when the override accounts in an Exchange protection template are set to deny (specifying that accounts are to be included in protection). Created when the override accounts in a File System protection template are set to allow (specifying that accounts are to be excluded from protection). Created when the override accounts in a File System protection template are set to deny (specifying that accounts are to be included in protection). Created when the override accounts in a Group Policy protection template are set to allow (specifying that accounts are to be excluded from protection). Created when the override accounts in a Group Policy protection template are set to deny (specifying that accounts are to be included in protection). Created when reporting is disabled for a private search query (that is, a search created in a user s Private folder) using the Private Alerts and Reports page on the Administration Tasks tab. Created when an alert is disabled for a private search query (that is, a search created in a user s Private folder) using the Private Alerts and Reports page on the Administration Tasks tab. Created when a process is added to a File System Auditing template. Created when a process is removed from a File System Auditing template. Created when protection for an Active Directory object is disabled in an Active Directory Protection template. Created when protection for an ADAM (AD LDS) object is disabled in an ADAM (AD LDS) Protection template. Created when protection for a file path is disabled in a File System Protection template. Created when protection for an Active Directory object is enabled in an Active Directory Protection template. Created when protection for an ADAM (AD LDS) object is enabled in an Active Directory Protection template. Created when protection for a file path is enabled in a File System Protection template. Created when protection for an Exchange mailbox is disabled in an Exchange Mailbox Protection template. Created when protection for an Exchange mailbox is enabled in an Exchange Mailbox Protection template. Created when protection for a group policy object is disabled in a Group Policy Protection template. 17

18 Table 1. Change Auditor Internal Auditing events Protection for Group Policy Enabled Public Report Disabled Public Report Enabled Public User Alert Changed Public User Alert Disabled Public User Alert Enabled Created when protection for a group policy object is enabled in a Group Policy Protection template. Created when reporting is disabled for a shared search query (that is, a search in a Shared folder). Created when a reporting is enabled for a shared search query (that is, a search in a Shared folder). Created when an alert is changed in Change Auditor for a shared search query (that is, a search in a Shared folder). Created when an alert is disabled in Change Auditor for a shared search query (that is, a search in a Shared folder). Created when an alert is enabled in Change Auditor for a shared search query (that is, a search in a Shared folder). Public User Search Created Created when a public user search is created in Change Auditor. Public User Search Deleted Created when a public user search is deleted from Change Auditor. Public User Search Modified Created when a public user search is modified in Change Auditor. Purge Job Added Created when a scheduled purge job is added to the Purge Jobs page on the Administration Tasks tab. Purge Job Changed Created when a scheduled purge job is modified. Purge Job Disabled Created when a scheduled purge job is disabled. Purge Job Enabled Created when a scheduled purge job is enabled. Purge Job Removed Created when a scheduled purge job is deleted from the Purge Jobs page on the Administration Tasks tab. Refresh Frequency for Group Membership Changed Refresh Frequency for the List of Expanded Groups Changed Registry Auditing Added Registry Auditing Added to Agent Configuration Created when the Refresh Group Membership Every nnn Minutes setting is changed on the Coordinator Configuration page in Change Auditor. Created when the Refresh the List of Expanded Groups Every nnn Minutes setting is changed on the Coordinator Configuration page in Change Auditor. Created when a Registry Auditing template is added to Change Auditor. Created when a Registry Auditing template is added to an agent configuration definition. Registry Auditing Disabled Created when a Registry Auditing template is disabled. Registry Auditing Enabled Created when a Registry Auditing template is enabled. Registry Auditing Removed Created when a Registry Auditing template is removed from Change Auditor. Registry Auditing Removed from Agent Configuration Registry Object Added to Auditing Registry Object Changed in Auditing Created when a Registry Auditing template is removed from an agent configuration definition. Created when a registry object is added to a Registry Auditing template. Created when a registry object is changed in a Registry Auditing template. 18

19 Table 1. Change Auditor Internal Auditing events Registry Object Removed from Auditing Report Layout Added Created when a registry object is removed from a Registry Auditing template. Created when a report layout is added to the Report Layouts page on the Administration Tasks tab. Report Layout Changed Created when a report layout is modified. Report Layout Removed Created when a report layout is deleted from the Report Layouts page on the Administration Tasks tab. SDK Agent Added Created when an agent (machine where the audit event occurred) is added using the software development kit. SDK Event Class Added Created when a new user-defined event class (type of audit event) is added to Change Auditor using the software development kit. SDK Event Class Modified SDK Event Class Removed SDK Facility Added SDK Facility Modified SDK Facility Removed SDK Machine Added Service Added to Auditing Service Auditing Added Service Auditing Added to Agent Configuration Created when a user-defined event class is modified using the software development kit. Created when a user-defined event class is removed from Change Auditor using the software development kit. Created when a new user-defined facility (category of an event class) is added to Change Auditor using the software development kit. Created when a user-defined facility is modified (e.g., new events are added or removed) using the software development kit. Created when a user-defined facility is removed from Change Auditor using the software development kit. Created when a workgroup server (machine where the audit event occurred) is added using the software development kit. (Used in ADAM (AD LDS) configurations only.) Created when a service is added to a Service Auditing template. Created when a Service Auditing template is added to Change Auditor. Created when a Service Auditing template is added to an agent configuration definition. Service Auditing Changed Created when a Service Auditing template is modified. Service Auditing Disabled Created when a Service Auditing template is disabled. Service Auditing Enabled Created when a Service Auditing template is enabled. Service Auditing Removed Created when a Service Auditing template is removed from Change Auditor. Service Auditing Removed from Agent Configuration Service Removed from Auditing SharePoint Auditing Added SharePoint Auditing Disabled Created when a Service Auditing template is removed from an agent configuration definition. Created when a service is removed from a Service Auditing template. Created when a SharePoint Auditing template is added in Change Auditor. Created when a SharePoint Auditing template is disabled. 19

20 Table 1. Change Auditor Internal Auditing events SharePoint Auditing Enabled SharePoint Auditing Removed SharePoint Event Added SharePoint Event Removed SharePoint Facility Added SharePoint Facility Removed SharePoint Path Added to Auditing SharePoint Path Changed in Auditing SharePoint Path Removed From Auditing SMTP Alerting Disabled SMTP Alerting Format Changed SMTP Alerting Enabled SMTP Alerting From Address Changed SMTP Alerting Server Authentication Disabled SMTP Alerting Server Authentication Enabled SMTP Alerting Server Changed SMTP Alerting Server Password Changed SMTP Alerting Server Username Changed SMTP Lookup Exchange Account Changed Created when a previously disabled SharePoint Auditing template is enabled. Created when a SharePoint Auditing template is removed from Change Auditor. Created when a SharePoint event is added to a SharePoint Auditing template. Created when a SharePoint event is removed from a SharePoint Auditing template. Created when a SharePoint facility is added to a SharePoint Auditing template Created when a SharePoint facility is removed from a SharePoint Auditing template. Created when a SharePoint path is added to a SharePoint Auditing template. Created when a SharePoint path is modified in a SharePoint Auditing template. Created when a SharePoint path is removed from a SharePoint Auditing template. Created when the Enable SMTP for Alerts and Reporting check box is cleared in the SMTP Configuration pane of the Coordinator Configuration page. The format (Plain Text or HTML) used for SMTP notifications is changed in the SMTP Configuration pane of the Coordinator Configuration page. Created when the Enable SMTP for Alerts and Reporting check box is selected in the SMTP Configuration pane of the Coordinator Configuration page. Created when the From Address used for SMTP notifications is changed in the SMTP Configuration pane of the Coordinator Configuration page. Created when the My Server Requires Authentication check box is cleared in the SMTP Configuration pane of the Coordinator Configuration page. Created when the My Server Requires Authentication check box is selected in the SMTP Configuration pane of the Coordinator Configuration page. Created when the mail server used for SMTP alerting and reporting is changed in the SMTP Configuration pane of the Coordinator Configuration page. Created when the password associated with the mail server specified in the SMTP Configuration pane of the Coordinator Configuration page is modified. Created when the account name associated with the mail server specified in the SMTP Configuration pane of the Coordinator Configuration page is modified. Created when the account name associated with the Exchange host specified in the SMTP Configuration pane of the Coordinator Configuration page is modified. 20