Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

Integrating Centrify Server Suite with SIEM Tools – Part 2, integration with Splunk

30 December,19 at 01:46 PM

In the previous post on Integrating Centrify Server Suite with SIEM tools, we covered that Centrify Server Suite (CSS) is an agent-based solution for unified identity management across Windows, Linux and UNIX systems. The CSS agent can track over 300 different types of events in real-time on 450+ flavors of Windows, Linux and UNIX machines.


In this post, we cover how to integrate the Centrify events into your existing Splunk deployment.  

Please refer to the following reference for installation instructions:

Centrify Splunk Installation guide

Centrify Splunk Add-on Binary

Getting Started

First, how do I get Centrify events into Splunk? Centrify events are available locally in standard logs either in *Nix syslogs or Windows event logs. Install Splunk Forwarder to centrally consolidate and index all Centrify events on machines with Centrify Agent running.  To easily configure the location of the Centrify events use the Centrify Splunk Add-On, follow the installation guide for instructions on how to install the Centrify Add-on.


Check if events are forwarded, by clicking on Data Summary as shown below on the Splunk Web interface.

Screen Shot 2016-07-07 at 12.34.18 PM.png


View Centrify events by searching for “Audit_Trail”, you should see all the Centrify events.

Screen Shot 2016-07-07 at 12.35.31 PM.jpg


Normalizing events

Install the Centrify Splunk Add-on on the Splunk Server to normalize Centrify events, follow the instructions in the installation guide. Once the events are centrally collected and indexed within splunk, you can find the relevant events via the splunk search interface. To enable finding Centrify events and Centrify fields easily, we have created 18 event types within Splunk and custom parsed all the Centrify fields into Splunk.


Find below a list of all the categorized events, we’ve mapped all the event categories listed in the Centrify Server Suite events document here. 

Centrify Event Category

Splunk Event Type

DirectAudit System Management


Audit Manager


Audit Analyzer


DirectAuthorize - Windows


DirectAudit ­ Windows


Centrify Configuration


DirectControl UNIX Agent


DirectAudit UNIX Agent


Centrify Commands


Trusted Path












Local Account Management


Centrify sshd





After Installing the Centrify Add-on, you would see “Centrify Add-on for Splunk” enabled in your Apps as shown below.

Screen Shot 2016-07-07 at 12.48.30 PM.png

Leveraging Splunk’s Common Information Model  

Splunk’s CIM enables tagging of common events from different vendors or source types, by enabling this Splunk unifies events from data domain of interest across the enterprise. Splunk has defined around 23 data models today and is rapidly growing. We’ve taken over a dozen events and mapped to Splunk’s Authentication data model.    


Shown below, how to find events that are mapped into the authentication data model.



To summarize, CSS Standard edition captures all logon and privilege activity on any machines that have a CSS agent running – the event is stored in CEF format in Syslog on Linux/ UNIX machines and is stored in Event logs on Windows machines. You can now ingest Centrify events to Splunk and normalize the Centrify data leveraging our Splunk Add-on, easily.


In my next post I’ll demonstrate how one could leverage these events in your IBM QRadar Deployment. Meanwhile, you can try Splunk integration today with a free trial of Centrify Server Suite Standard Edition. If you are already a Centrify customer and want to learn more, please contact your Centrify account team.