Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-4993: Questions about Direct Audit regarding States seen in Audit Analyzer

Auditing and Monitoring Service ,  

12 April,16 at 11:47 AM

Applies to: Centrify DirectAudit for Windows 2.0.2 and newer


1. When would the logs get "Terminated"? Will the "Terminated" logs go back to "In Progress" when work starts over same session?

2. Why in some cases will "Completed" and "Disconnect" go back to "In Progress" after some time?


1. If the DirectAudit agent stopped in an active TTY session, then the user stopped the session, the audit session will be in the "Terminated" state in the Audit Analyzer.
If the DirectAudit agent is then restarted and a new active TTY session is then started, the new audit session will be in the state of "In Progress" with the previous audit session in "Terminated" state remaining. 

2. "Disconnect" sessions will go back to "In Progress" when then the DirectAudit agent stopped and then started during a continuous TTY session.
"Completed" sessions should not go back to "In Progress" since the session is explicitly ended by the TTY device, which should create a new session when a new session is started. 

Audit sessions states are described in the Centrify DirectAudit Administrator Guide of 2012 (
DirectAudit lists one of the following in the State column: 

In ProgressThe session is active and has not explicitly ended; that is, the UNIX shell has not exited or the Windows user has not logged off. 
CompletedThe session is no longer active. 
DisconnectedThe session disconnected from the DirectAudit agent but did not send an explicit exit signal to DirectAudit; for example, a shell exited or the Windows user logged off while the DirectAudit agent was not running. 
TerminatedA new shell or logon session has started on the same TTY device as a disconnected session.