Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

[HOWTO] Find DirectAudit databases and collectors if you do not know where they exist in your environment

Auditing and Monitoring Service ,  

27 March,20 at 08:06 PM

This article goes over one of the methods that can be used to find the DirectAudit Databases and Collectors in your environment, if you do not know where they exist.

For example, the Centrify expert at your company has moved on to another job opportunity and you take over their position.  That person did not leave any notes about the Centrify setup in your environment, other than the Centrify products that have been purchased and installed.  One them being DirectAudit.  DirectAudit requires multiple components for the server side setup, such a database instance with an AuditStore database and a Management database, and collectors to collect the audited data from the agents and push it to the AuditStore database.  In this scenario, where very little information is provided, how can one find out where the DirectAudit databases and collectors are located?

The method we are going to go over today is using PowerShell, run as an Administrator with the Active Directory modules loaded, to run some queries against Active Directory.

Add Active Directory Module to PowerShell:

Adding the Active Directory module to PowerShell can be different depending on which Windows OS is being used.  The steps below are how to add the Active Directory Modules into PowerShell on a Windows Server 2016. If the Windows Server 2016 is a Domain Controller, the AD module is already installed. On member servers, you can add the module as a feature in Server Manager.
    1. Start Server Manager.
    2. Click Manage > Add Roles and Features.
    3. Click Next until you reach Features.
    4. Enable Active Directory module for Windows PowerShell in Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools.
Install the AD module on Windows Server 2016

To find the DirectAudit databases:

Open up PowerShell as an Administrator by right clicking on the PowerShell icon and choosing "Run As Administrator". 

The below command can be used to find the Audit Installation DBs (Auditstore and ManagementDB):
Get-ADObject -LDAPFilter "((cn=Vegas-Installation*))" -Properties ServiceBindingInformation | select ServiceBindingInformation | FL

In that output, there will be two "InstanceGuid" entries.  
First one, should be the Auditstore DB.
Second one, should be the ManagementDB.  

Look for "Data source=" in both entries of the "InstanceGuid", and you will find the server those databases exist on.

PS C:\Windows\system32> Get-ADObject -LDAPFilter "((cn=Vegas-Installation*))" -Properties ServiceBindingInformation | select ServiceBindingInformation | FL

ServiceBindingInformation : {InstanceGuid:d04ac2c3-8774-4a4e-928f-a033e8948864,InstanceName:Demo-Site@centrifyimage.vms-AuditStore,BindingInfo:Data
                            Source=DEPLOY2.centrifyimage.vms\\CENTRIFY;Initial Catalog=Demo-Site@centrifyimage.vms-AuditStore-2019-10-15,BindingType:1,SiteNa
                            Source=DEPLOY2.centrifyimage.vms\\CENTRIFY;Initial Catalog=DefaultManagementDatabase,BindingType:0}

In the above example, we can see that the AuditStore is Demo-Site@centrifyimage.vms-AuditStore and is found on server DEPLOY2.centrifyimage.vms. We can also see that the Management Database is DefaultManagementDatabase and is also found on server DEPLOY2.centrifyimage.vms under the CENTRIFY database instance.

To find the DirectAudit collectors:

Here a command that can be used to find collectors:
Get-ADObject -LDAPFilter "((cn=Vegas-Service*))" | select DistinguishedName

There will be 3 entries per Collector (one for Windows, one for Unix, and one for AuditTrail)

The CN after the CN=Vegas-Service-{Guid} is the server where the collector exists.

PS C:\Windows\system32> Get-ADObject -LDAPFilter "((cn=Vegas-Service*))" | select DistinguishedName



CN=Vegas-Service-609186ee-85ef-426d-9e98-  507f1dcf5889,CN=DEPLOY2,OU=Workstations,DC=centrifyimage,DC=vms



In the above example, we can see three lines in the output and they all show as pointing to one server.  As mentioned previously, there are three entries per Collector (one for Windows, one for Unix, and one for AuditTrail).  
We can infer that there is only one Collector and it is found on server DEPLOY2 under the Workstations OU in the centrifyimage.vms domain.


Now that we have figured out that both the Audit Installation Databases exist on the deploy2 server, we can go to that server and use the Centrify DirectAudit management tools to manage and maintain our DirectAudit Installation, namely the Audit Manager and Centrify DirectAudit Collector Control Panel.  For more information on DirectAudit and the associated tools, please refer to the following documentation: