How to Read Audit Event Data
The following information can help you understand how to read Centrify audit events.
Event ID/CentrifyEventID
Every Windows and UNIX/Linux audit event includes two numeric IDs that describe the event. The Event ID in the header fields identifies the unique ID of the event within a particular event category, whereas the CentrifyEventID in the common fields identifies the unique ID among all Centrify audit event types.
Windows Example
| Centrify audit event header fields | Category | Privilege Elevation Service - Windows | |
|---|---|---|---|
| Product Version | 1.0 | ||
| Event ID | 3 | ||
| Event Name | Remote login success | 5 | |
| Centrify audit event common fields | user | administrator@member.acme.vms | |
| userSid | S-1-5-21-3789923312-3040275127-1160560412-500 | ||
| DAInst | AuditingInstallation | ||
| DASessID | c72252aa-e616-44ff-a5f6-d3f53f09bb67 | ||
| sessionId | 6 | ||
| Centrify EventID | 6003 |
UNIX/Linux Example
| Centrify audit event header fields | Event Type | AUDIT_TRAIL |
|---|---|---|
| Product | Centrify Suite | |
| Category | Centrify sshd | |
| Product Version | 1.0 | |
| Event ID | 100 | |
| Event Name | SSHD granted | |
| Severity | 5 | |
| Centrify audit event common fields | user | dwirth(type:ad,dwirth@acme.vms) |
| pid | 7456 | |
| utc | 1459784055479 | |
| Centrify EventID | 27100 | |
| DAInst | ||
| c72252aa-e616-44ff-a5f6-d3f53f09bb67 | ||
| status | GRANTED | |
| service | ssh-connection |
Severity
Severity is defined by an integer from 0 - 10, with 10 being the most important level. Centrify events are typically a Severity 5.
Spacing
A field name is one word (no spaces) in the audit event file. When the file is processed into a readable format, spaces are added to field names. For example, if you need to search for Management Database Property, you should search on the following term: managementdatabaseproperty.
Case-Insensitive Field Names
Use case-insensitive field names in all search filters.