To capture configuration changes in Centrify Access Manager to your SIEM, you will need two things on the operating system running Access Manager
1. Your SIEM reflector to read and send the Application event viewer to your SIEM.
2. Configure the following registry setting:
- HKLM\Software\Centrify\AuditTrail\Centrify Suite.Centrify Configuration\AuditTrailTargets (Set the value to 3.)
- OR HKLM\Software\Centrify\AuditTrail\AuditTrailTargets (Set the value to 3.) Then delete the three child keys for HKLM\Software\Centrify\AuditTrail.
This value will write events both to the local Application event log and Direct Audit database. Events such as assigning a user to a role, creating a child zone or modifying a user's POSIX information will be logged to your SIEM.
For reference, here is the guide for all events written to the Application event log as well the syslog on Linux by the DirectAudit Agent. https://docs.centrify.com/en/css/suite2017.1/centrify-audit-events-guide.pdf