Answers to questions about Direct Audit regarding States seen in Audit Analyzer
Applies to: Centrify DirectAudit for Windows 2.0.2 and newer
1. When would the logs get "Terminated"? Will the "Terminated" logs go back to "In Progress" when work starts over same session?
2. Why in some cases will "Completed" and "Disconnect" go back to "In Progress" after some time?
1. If the DirectAudit agent stopped in an active TTY session, then the user stopped the session, the audit session will be in the "Terminated" state in the Audit Analyzer. If the DirectAudit agent is then restarted and a new active TTY session is then started, the new audit session will be in the state of "In Progress" with the previous audit session in "Terminated" state remaining.
2. "Disconnect" sessions will go back to "In Progress" when then the DirectAudit agent stopped and then started during a continuous TTY session. "Completed" sessions should not go back to "In Progress" since the session is explicitly ended by the TTY device, which should create a new session when a new session is started.
Audit sessions states are described in the Centrify DirectAudit Administrator Guide of 2012 (http://www.centrify.com/downloads/products/documentation/suite2012/ga/centrify-da-admin-guide.pdf). DirectAudit lists one of the following in the State column:
The session is active and has not explicitly ended; that is, the UNIX shell has not exited or the Windows user has not logged off.
The session is no longer active.
The session disconnected from the DirectAudit agent but did not send an explicit exit signal to DirectAudit; for example, a shell exited or the Windows user logged off while the DirectAudit agent was not running.
A new shell or logon session has started on the same TTY device as a disconnected session.