This article goes over one of the methods that can be used to find the DirectAudit Databases and Collectors in your environment, if you do not know where they exist.
For example, the Centrify expert at your company has moved on to another job opportunity and you take over their position. That person did not leave any notes about the Centrify setup in your environment, other than the Centrify products that have been purchased and installed. One them being DirectAudit. DirectAudit requires multiple components for the server side setup, such a database instance with an AuditStore database and a Management database, and collectors to collect the audited data from the agents and push it to the AuditStore database. In this scenario, where very little information is provided, how can one find out where the DirectAudit databases and collectors are located?
The method we are going to go over today is using PowerShell, run as an Administrator with the Active Directory modules loaded, to run some queries against Active Directory.
Add Active Directory Module to PowerShell:Adding the Active Directory module to PowerShell can be different depending on which Windows OS is being used. The steps below are how to add the Active Directory Modules into PowerShell on a Windows Server 2016. If the Windows Server 2016 is a Domain Controller, the AD module is already installed. On member servers, you can add the module as a feature in Server Manager.
1. Start Server Manager.
2. Click Manage > Add Roles and Features.
3. Click Next until you reach Features.
4. Enable Active Directory module for Windows PowerShell in Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools.
To find the DirectAudit databases:Open up PowerShell as an Administrator by right clicking on the PowerShell icon and choosing
"Run As Administrator".
The below command can be used to find the Audit Installation DBs (Auditstore and ManagementDB):
Get-ADObject -LDAPFilter "((cn=Vegas-Installation*))" -Properties ServiceBindingInformation | select ServiceBindingInformation | FL
In that output, there will be two
"InstanceGuid" entries.
First one, should be the
Auditstore DB.
Second one, should be the
ManagementDB.
Look for
"Data source=" in both entries of the
"InstanceGuid", and you will find the
server those databases exist on.
Example:PS C:\Windows\system32> Get-ADObject -LDAPFilter "((cn=Vegas-Installation*))" -Properties ServiceBindingInformation | select ServiceBindingInformation | FLServiceBindingInformation : {InstanceGuid:d04ac2c3-8774-4a4e-928f-a033e8948864,InstanceName:Demo-Site@centrifyimage.vms-AuditStore,BindingInfo:Data
Source=DEPLOY2.centrifyimage.vms\\CENTRIFY;Initial Catalog=Demo-Site@centrifyimage.vms-AuditStore-2019-10-15,BindingType:1,SiteNa
me:Demo-Site@centrifyimage.vms,AgentSiteAffinity:False,SystemTypeAffinity:0,
InstanceGuid:011acdc0-bda2-4dc5-83a2-b6a0e733d09f,InstanceName:DefaultManagementDatabase,BindingInfo:Data
Source=DEPLOY2.centrifyimage.vms\\CENTRIFY;Initial Catalog=DefaultManagementDatabase,BindingType:0}In the above example, we can see that the AuditStore is
Demo-Site@centrifyimage.vms-AuditStore and is found on server
DEPLOY2.centrifyimage.vms. We can also see that the Management Database is
DefaultManagementDatabase and is also found on server
DEPLOY2.centrifyimage.vms under the CENTRIFY database instance
.To find the DirectAudit collectors:Here a command that can be used to find collectors:
Get-ADObject -LDAPFilter "((cn=Vegas-Service*))" | select DistinguishedName
There will be 3 entries per Collector (one for Windows, one for Unix, and one for AuditTrail)
The CN after the CN=Vegas-Service-{Guid} is the server where the collector exists.
Example:
PS C:\Windows\system32> Get-ADObject -LDAPFilter "((cn=Vegas-Service*))" | select DistinguishedName
DistinguishedName
---------------
CN=Vegas-Service-609186ee-85ef-426d-9e98- 507f1dcf5889,CN=DEPLOY2,OU=Workstations,DC=centrifyimage,DC=vms
CN=Vegas-Service-98c77093-8478-4557-9a63-fc6721efe31d,CN=DEPLOY2,OU=Workstations,DC=centrifyimage,DC=vms
CN=Vegas-Service-ab84c3eb-2a99-4767-8132-96d4c2f80fbd,CN=DEPLOY2,OU=Workstations,DC=centrifyimage,DC=vms
In the above example, we can see three lines in the output and they all show as pointing to one server. As mentioned previously, there are three entries per Collector (one for Windows, one for Unix, and one for AuditTrail).
We can infer that there is only one Collector and it is found on server DEPLOY2 under the Workstations OU in the centrifyimage.vms domain.
Conclusion:
Now that we have figured out that both the Audit Installation Databases exist on the deploy2 server, we can go to that server and use the Centrify DirectAudit management tools to manage and maintain our DirectAudit Installation, namely the Audit Manager and Centrify DirectAudit Collector Control Panel. For more information on DirectAudit and the associated tools, please refer to the following documentation:
https://docs.centrify.com/en/css/19.9/centrify-audit-adminguide.pdf