11 April,19 at 11:50 AM
In this post, I'd cover some of the key audit events Centrify helps capture and where to find the logs to easily forward these to SIEMs and other tools.
In my next post, I’d integrate the Audit logs from Centrify Identity Services Platform into Splunk to demonstrate the end to end Audit trail experience of a user.
What are some key Centrify Audit events?
Centrify Login Events: These events are generated when Centrify is used to authenticate the access to Portal, App or Infrastructure.
Oct 9 16:54:09 engcen6 centrify-syslog-writer[97]: INFO Centrify|Cloud.Core|Cloud.Core.MfaSummary| FactorCount="1" EventType="Cloud.Core.MfaSummary" EventMessage="Authentication using UP, result: Failed" FactorPasswordLocalized="Failed" RequestHostName="216.112.107.101" FromIPAddress="216.112.107.101" ClientIPAddress="216.112.107.101" AzDeploymentId="17c473add8114981bf6e6d94a556c69e" NormalizedUser="dwirth@centrify.vms" WhenOccurred="/Date(1507585835959)/" InternalTrackingID="ca9b1f9a37544b16a03d35ab3ae15ebf" MfaUnlock="False" MfaResultLocalized="Failed" MfaReason="Authentication using authentication profile 'Strong Factors - Authentication'." EntityName="Portal" EndpointOnPremise="False" RequestIsMobileDevice="False" Level="Warning" DirectoryServiceNameLocalized="Active Directory (centrify.vms)" ID="772af0a03a153f1a.W03.6944.fcd2628f875acc14" RequestUserAgent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36" Tenant="AAA3182" UserGuid="c4a3c58b-e44f-4eb0-91db-d6ed0cc79f62" whenoccurreddate="2017-10-09T21:50:35.959000Z" MfaInitiatorLocalized="Authentication" FactorsLocalized="Password" DirectoryServiceUuid="1281dec1-2c1d-758e-a667-d4f7b2fd9972" RequestDeviceOS="Mac" EntityType="Portal" ForgotPassword="False" AzRoleId="WebRole_IN_3" ThreadType="RestCall" InternalSessionId="241fb34e-cef1-4807-a72b-255293eb593f" DenyByUser="False" WhenLogged="/Date(1507585835959)/" DirectoryServiceName="AdProxy" MfaUpgrade="False" ProfileName="Strong Factors - Authentication" Factors="UP" FailReason="Challenge not answered or answered incorrectly" MfaInitiator="Authentication" AzRoleName="WebRole" ProfileId="2e93f3a5-3c8d-478d-91cf-e9d8e1af46fa" FactorPassword="Failed" MfaResult="Failed" EndpointKnown="True" AuthMethod="None" Session="hg__L378_kCbYzI4EQHggoOwqbZCtqmm8h0zbpDSqmY1"
Apr 20 14:51:18 sol112x64v3 adclient[5640]: [ID 702911 auth.info] INFO AUDIT_TRAIL|Centrify Suite|MFA|1.0|100|MFA challenge succeeded|5|user=laniu1(type:ad,laniu1@SINGLE01.CDC) pid=6160 utc=1461135078139 centrifyEventID=54100 DAInst=AuditingInstallation DASessID=c72252aa-e616-44ff-a5f6-d3f53f09bb67 status=SUCCEED service=sshd tty=ssh client=::1 challenge=EMAIL
Oct 9 16:54:54 engcen6 adclient[1642]: INFO AUDIT_TRAIL|Centrify Suite|PAM|1.0|500|PAM open session granted|5|user=dwirth(type:ad,dwirth@CENTRIFY.VMS) pid=28686 utc=1507586094795 centrifyEventID=24500 DASessID=164686bd-7524-5040-99d1-287982aa3a58 DAInst=DefaultInstallation status=GRANTED service=sshd tty=ssh client=192.168.81.11
Centrify Privileged Elevation Events: These events are generated when the User elevates the privilege either on a Windows / *Nix machine.
10/06/2017 04:50:11 PM LogName=Application SourceName=Centrify AuditTrail V2 EventCode=6031 EventType=4 Type=Information ComputerName=member.centrify.vms User=NOT_TRANSLATED Sid=S-1-5-21-3883016548-1611565816-1967702834-1107 SidType=0 TaskCategory=%1 OpCode=Info RecordNumber=53381 Keywords=Classic Message=Product: Centrify Suite Category: DirectAuthorize - Windows Event name: Console login success Message: User successfully logged on locally using role 'ROLE_SYSTEM_Archt/Global'. Oct 06 16:50:11 member.centrify.vms dzagent[1632]: INFO AUDIT_TRAIL|Centrify Suite|DirectAuthorize - Windows|1.0|31|Console login success|5|user=dwirth@centrify.vms userSid=S-1-5-21-3883016548-1611565816-1967702834-1107 sessionId=5 centrifyEventID=6031 DAInst=DefaultInstallation DASessID=c0f76cae-a56f-481d-bd3c-da7e708b02e0 role=ROLE_SYSTEM_Archt/Global desktopguid=86c6bf43-baa1-46d9-a35c-54e6bdf033d8 entityname=centrify.vms\\MEMBER$ mfarequired=False
Oct 3 17:07:42 engcen6 adclient[9586]: INFO AUDIT_TRAIL|Centrify Suite|dzdo|1.0|0|dzdo granted|5|user=dwirth(type:ad,dwirth@CENTRIFY.VMS) pid=28570 utc=1507068462898 centrifyEventID=30000 DASessID=5ee96dfb-9ffb-3d49-9ac9-4b78139698e2 DAInst=DefaultInstallation status=GRANTED service=dzdo command=/sbin/service runas=root role=ROLE_SYSTEM_Archt/Global env=(none)
Cloud.Core.Server.Account.PasswordExport: These events are generated for every password is checked out leveraging Centrify's Infrastructure Service.
Oct 10 11:19:39 engcen6 centrify-syslog-writer[141]: INFO Centrify|Cloud.Server|Cloud.Server.LocalAccount.PasswordExport| AuthMethod="UserPassword" ComputerName="CentOs-Server" AccountName="root" FromIPAddress="216.112.107.101" ThreadType="RestCall" RequestUserAgent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36" InternalTrackingID="d7cde9b6c9be4df7af9705452750e633" UserGuid="c4a3c58b-e44f-4eb0-91db-d6ed0cc79f62" AuthorityID="27878df3-3f3f-4b6e-97e9-ed4e7c50dc35" CheckedOut="True" AuthorityFQDN="192.168.81.26" Level="Info" AuthoritySource="192.168.81.26" Tenant="AAA3182" DirectoryServiceNameLocalized="Active Directory (centrify.vms)" RequestHostName="216.112.107.101" RequestDeviceOS="Mac" InternalSessionId="241fb34e-cef1-4807-a72b-255293eb593f" whenoccurreddate="2017-10-10T16:15:48.986000Z" AzRoleName="WebRole" AzDeploymentId="17c473add8114981bf6e6d94a556c69e" WhenOccurred="/Date(1507652148986)/" WhenLogged="/Date(1507652148986)/" WhenDueBack="/Date(1507655748736)/" ID="772af005d470729b.W03.7845.fcd2628f875acc14" AccountID="2ce889e8-b74b-4c1f-8283-1ca677a3d1f0" UserType="User" EventMessage="dwirth@centrify.vms checked out local account "root" password for "CentOs-Server"(192.168.81.26)" EventType="Cloud.Server.LocalAccount.PasswordExport" ComputerFQDN="192.168.81.26" AuthorityType="Local" DirectoryServiceUuid="1281dec1-2c1d-758e-a667-d4f7b2fd9972" NormalizedUser="dwirth@centrify.vms" AuthorityName="CentOs-Server" DirectoryServiceName="AdProxy" AzRoleId="WebRole_IN_3" RequestIsMobileDevice="False" ComputerID="27878df3-3f3f-4b6e-97e9-ed4e7c50dc35" ClientIPAddress="216.112.107.101"
Cloud.Core.Server.Account.SessionStart: This event is generated when a remote session start happened
Oct 10 11:19:39 engcen6 centrify-syslog-writer[141]: INFO Centrify|Cloud.Server|Cloud.Server.LocalAccount.SessionStart| AuthMethod="None" ComputerName="CentOs-Server" SessionGuid="572c0ba3-5b64-4128-933c-c3cc5bd8576b" FromIPAddress="216.112.107.101" ThreadType="Hub" RequestUserAgent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36" InternalTrackingID="0531b5759fd44a18b586fb615561eeac" UserGuid="c4a3c58b-e44f-4eb0-91db-d6ed0cc79f62" AuthorityID="27878df3-3f3f-4b6e-97e9-ed4e7c50dc35" AccountName="root" Level="Info" JumpType="Ssh" AuditState="None" SessionType="PV" Tenant="AAA3182" DirectoryServiceNameLocalized="Active Directory (centrify.vms)" RequestHostName="216.112.107.101" RequestDeviceOS="Mac" whenoccurreddate="2017-10-10T16:16:28.593000Z" AzRoleName="WebRole" AzDeploymentId="17c473add8114981bf6e6d94a556c69e" WhenOccurred="/Date(1507652188593)/" WhenLogged="/Date(1507652188593)/" ID="772af005bcd4e790.W00.8742.fcd2628f875acc14" AccountID="2ce889e8-b74b-4c1f-8283-1ca677a3d1f0" UserType="User" EventMessage="dwirth@centrify.vms logged in to system "CentOs-Server"(192.168.81.26) using local account "root" via Ssh" EventType="Cloud.Server.LocalAccount.SessionStart" ComputerFQDN="192.168.81.26" AuthorityFQDN="192.168.81.26" AuthorityType="Local" DirectoryServiceUuid="1281dec1-2c1d-758e-a667-d4f7b2fd9972" NormalizedUser="dwirth@centrify.vms" AuthorityName="CentOs-Server" DirectoryServiceName="AdProxy" AzRoleId="WebRole_IN_0" RequestIsMobileDevice="False" ComputerID="27878df3-3f3f-4b6e-97e9-ed4e7c50dc35" AuthoritySource="192.168.81.26" ClientIPAddress="216.112.107.101"
Cloud.Core.Server.Account.SessionTerminate: When an administrator detects something suspicious and you terminate the session this is the event that’s generated
Oct 10 11:19:39 engcen6 centrify-syslog-writer[141]: INFO Centrify|Cloud.Server|Cloud.Server.LocalAccount.SessionTerminate| AuthMethod="UserPassword" ComputerName="CentOs-Server" AccountName="root" FromIPAddress="216.112.107.101" ThreadType="RestCall" RequestUserAgent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36" InternalTrackingID="33518d47b8b84294896c30a93827ec9f" UserGuid="c4a3c58b-e44f-4eb0-91db-d6ed0cc79f62" AuthorityID="27878df3-3f3f-4b6e-97e9-ed4e7c50dc35" AuthorityFQDN="192.168.81.26" Level="Info" AuthoritySource="192.168.81.26" Tenant="AAA3182" DirectoryServiceNameLocalized="Active Directory (centrify.vms)" RequestHostName="216.112.107.101" RequestDeviceOS="Mac" InternalSessionId="241fb34e-cef1-4807-a72b-255293eb593f" whenoccurreddate="2017-10-10T16:17:08.793000Z" AzRoleName="WebRole" AzDeploymentId="17c473add8114981bf6e6d94a556c69e" WhenOccurred="/Date(1507652228793)/" WhenLogged="/Date(1507652228793)/" ID="772af005a4dee3d8.W00.874a.fcd2628f875acc14" AccountID="2ce889e8-b74b-4c1f-8283-1ca677a3d1f0" UserType="User" EventMessage="dwirth@centrify.vms terminated a session created by user "dwirth@centrify.vms" on system CentOs-Server(192.168.81.26) using local account "root"" EventType="Cloud.Server.LocalAccount.SessionTerminate" ComputerFQDN="192.168.81.26" SessionUser="dwirth@centrify.vms" AuthorityType="Local" DirectoryServiceUuid="1281dec1-2c1d-758e-a667-d4f7b2fd9972" NormalizedUser="dwirth@centrify.vms" AuthorityName="CentOs-Server" DirectoryServiceName="AdProxy" AzRoleId="WebRole_IN_0" RequestIsMobileDevice="False" ComputerID="27878df3-3f3f-4b6e-97e9-ed4e7c50dc35" ClientIPAddress="216.112.107.101"
Cloud.Saas.Application.AppLaunch: When a user launches an App these events are generated
Jun 30 10:53:24 engcen6 centrify-syslogger[6563]: INFO Centrify|Cloud.Saas|Cloud.Saas.Application.AppLaunch| WhenLogged="/Date(1498755631290)/" WhenOccurred="/Date(1498755631290)/" AzDeploymentId="4c24f29f574e40569980f4ada1122e23" ThreadType="RestCall" UserGuid="c2c7bcc6-9560-44e0-8dff-5be221cd37ee" ClientIPAddress="216.112.107.101" AzRoleName="WebRole" RequestUserAgent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36" InternalSessionId="9e841bca-d249-4d71-bd32-c8048a8b94cd" whenoccurreddate="2017-06-29T17:00:31.290000Z" TemplateName="Generic Bookmark" AuthMethod="UserPassword" EventMessage="User cloudadmin@s.veerapuneni.01 launched Bookmark from 216.112.107.101" Tenant="AAA3182" DirectoryServiceName="CDS" DirectoryServiceUuid="09B9A9B0-6CE8-465F-AB03-65766D33B05E" RequestHostName="216.112.107.101" RequestDeviceOS="Mac" FromIPAddress="216.112.107.101" InternalTrackingID="8bcb0d77815e4dcfa92d51356a49a97f" ApplicationName="Bookmark" AzRoleId="WebRole_IN_3" Level="Info" DirectoryServiceNameLocalized="Centrify Directory" NormalizedUser="cloudadmin@s.veerapuneni.01" ApplicationID="2d8a40a6-70ca-44e5-b661-cab7708f56d5" EventType="Cloud.Saas.Application.AppLaunch" ID="772b40efa6358d03.W03.0c71.841df0f4c1d5122f" ApplicationType="Web" RequestIsMobileDevice="False"
Centrify Advanced Monitoring Events: These events are generated when you have Advanced monitoring enabled.
Oct 6 11:56:17 engcen6 adclient[1642]: INFO AUDIT_TRAIL|Centrify Suite|DirectAudit Advanced Monitoring|1.0|301|Monitored file modification attempt failed|5|user=dwirth(type:ad,dwirth@CENTRIFY.VMS) pid=18500 utc=1507308977433 centrifyEventID=57301 DASessID=N/A DAInst=DefaultInstallation status=FAILED syscall=unlink exitcode=-2 timestamp=1507308977.433 auid=dwirth uid=root procid=18500 ppid=18499 gid=root euid=root cwd=/ accType=2 cmd=/sbin/chkconfig argc=1 args=/etc/rc5.d/
Where to find these audit logs?
The Audit events are available locally either in Syslog / Windows Application Logs. For the Identity Services platform, we have an EA of a syslog writer that helps get the event logs from the cloud and forwards it to an existing Syslog Server.
Summary
Video