In the Centrify Audit Analyzer, what is the actual difference between a session that is marked as completed and one marked as disconnected?
To illustrate, notice the "State" column of an audited session. Sometimes it may show as "Disconnected" or "Terminated" here.Answer:
When an audited session ends without issues, (normal user logout) the CentrifyDA agent should be sending an "end session" packet to the Collector to indicate the session has ended and will cause the session status to show as completed. If a session shows as disconnected it means that for some reason the Collector did not get that ending packet.
The Collector may end up getting the end session packet at some point and it will change the session status to completed or in-progress. A session in a disconnected status is typically a temporary status, but if the Collector never gets the end session packet or views the agent as being as offline, then the session will eventually show a status of terminated.