Can Centrify Access Manager configuration changes be logged to the SIEM?
To capture configuration changes in Centrify Access Manager to your SIEM, you will need two things on the operating system running Access Manager
1. The SIEM reflector to read and send the Application event viewer to your SIEM.
2. Configure the following registry setting:
- HKLM\Software\Centrify\AuditTrail\Centrify Suite.Centrify Configuration\AuditTrailTargets (Set the value to 3.)
- OR HKLM\Software\Centrify\AuditTrail\AuditTrailTargets (Set the value to 3.) Then delete the three child keys for HKLM\Software\Centrify\AuditTrail.
This value will write events both to the local Windows Application event log and Direct Audit database. Events such as assigning a user to a role, creating a child zone or modifying a user's POSIX information will be logged to your SIEM.
Example Event viewer log entries look like this:
For reference, here is the guide for all events written to the Application event log as well the syslog on Linux by the DirectAudit Agent. https://docs.centrify.com/en/css/suite2017.1/centrify-audit-events-guide.pdf