Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-4993: Questions about Direct Audit regarding States seen in Audit Analyzer

Auditing and Monitoring Service ,  

12 April,16 at 11:47 AM

Applies to: Centrify DirectAudit for Windows 2.0.2 and newer

Question:

1. When would the logs get "Terminated"? Will the "Terminated" logs go back to "In Progress" when work starts over same session?

2. Why in some cases will "Completed" and "Disconnect" go back to "In Progress" after some time?

Answer:

1. If the DirectAudit agent stopped in an active TTY session, then the user stopped the session, the audit session will be in the "Terminated" state in the Audit Analyzer.
If the DirectAudit agent is then restarted and a new active TTY session is then started, the new audit session will be in the state of "In Progress" with the previous audit session in "Terminated" state remaining. 

2. "Disconnect" sessions will go back to "In Progress" when then the DirectAudit agent stopped and then started during a continuous TTY session.
"Completed" sessions should not go back to "In Progress" since the session is explicitly ended by the TTY device, which should create a new session when a new session is started. 

Audit sessions states are described in the Centrify DirectAudit Administrator Guide of 2012 (http://www.centrify.com/downloads/products/documentation/suite2012/ga/centrify-da-admin-guide.pdf).
DirectAudit lists one of the following in the State column: 
 
In ProgressThe session is active and has not explicitly ended; that is, the UNIX shell has not exited or the Windows user has not logged off. 
CompletedThe session is no longer active. 
DisconnectedThe session disconnected from the DirectAudit agent but did not send an explicit exit signal to DirectAudit; for example, a shell exited or the Windows user logged off while the DirectAudit agent was not running. 
TerminatedA new shell or logon session has started on the same TTY device as a disconnected session.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

 articleKB-6041: How to show current license type in use by adclient articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-3394: Is it possible to purge audit sessions older than 'x' number of days articleKB-2727: How to migrate SQL databases associated with a Centrify_DirectManage Audit 3.x installation from one database server to another articleKB-6056: How to report the group policy settings that are in effect for the local computer? articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin? articleKB-7736:Is there a report within Centrify Audit Analyzer to show which users have had a successful or failed login attempt to the servers? articleKB-1921: Direct audit db size is growing even after disabling auditing at zone level