Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-12341:How to log administrator activities in Centrify Access Manager to your SIEM

Privilege Elevation Service ,  

30 September,19 at 08:10 PM

Question:
Can Centrify Access Manager configuration changes be logged to the SIEM?

Answer:

To capture configuration changes in Centrify Access Manager to your SIEM, you will need two things on the operating system running Access Manager 

1. The SIEM reflector to read and send the Application event viewer to your SIEM.

2. Configure the following registry setting:
 

registryedit
 

- HKLM\Software\Centrify\AuditTrail\Centrify Suite.Centrify Configuration\AuditTrailTargets (Set the value to 3.)

- OR HKLM\Software\Centrify\AuditTrail\AuditTrailTargets  (Set the value to 3.) Then delete the three child keys for HKLM\Software\Centrify\AuditTrail.

 

This value will write events both to the local  Windows Application event log and Direct Audit database. Events such as assigning a user to a role, creating a child zone or modifying a user's POSIX information will be logged to your SIEM.

Example Event viewer log entries look like this:

centrifyeventviewerlogs
 

 

For reference, here is the guide for all events written to the Application event log as well the syslog on Linux by the DirectAudit Agent. https://docs.centrify.com/en/css/suite2017.1/centrify-audit-events-guide.pdf

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.