Question:

Customer could not see their Access Manager audit trail events in the local Windows event logs so that when a change was made within Access Manager i.e. zone created/deleted, user added/deleted, user permissions modified, those actions were not being logged in the local Windows event logs and as a result, could not be forwarded to their Arcsight SIEM.

Why is this and how to configure it so that information would be forwarded to Arcsight SIEM?

Answer:

There are two ways to configure,

Option one: use Group Policy Extention

Within Group Policy Management, Computer Configuration > Administrative Templates > Centrify Audit Trail Settings > Set global audit trail targets

should be “Enabled” and an Audit Trail Targets of either “2” or “3”.  

Possible settings are:
0 - Audit information is not sent.
1 - Audit information is sent to DirectAudit. This capability is supported by DirectAudit version 3.2 and later.
2 - Audit information is sent to the local logging facility (syslog on UNIX systems, Windows event log on Windows systems).
3 - Audit information is sent to both DirectAudit and the local logging facility.





Option two: setting registry on Centrify Access Manager server

With the Windows registry editor on which the Access Manager console is running,  the HKEY_LOCAL_MACHINE > SOFTWARE > Centrify > AuditTrail > AuditTrailTargets  should have the “Data” field set to either “2” or “3”.

If there are additional sub-keys under the “AuditTrail” key (as shown in the screenshot below), please make sure that the audit trail target has been set correctly for the specific category as it will override the value set under the main “AuditTrail” key. For Access Manager specific events, the audit trail target needs to be set under the “Centrify Suite.Centrify Configuration” sub-key. You can also circumvent this by deleting all the sub-keys and specify the global audit trail target for all categories under the main “AuditTrail” key.