Windows and UNIX/Linux Audit Events

Review the following examples to understand the Windows and UNIX/Linux audit event logs, and then review how to read audit event data to understand the similarities and differences.

Windows Audit Event Log Line Example

The following is an example of a Centrify audit event recorded in the Windows application event log. Standard Windows audit event fields (in black) contain information about the Centrify event. Centrify augments these standard fields with additional data (in red) to help you to track logon and privilege activity data.

04/05/2016 02:15:37 PM LogName=Application   
SourceName=Centrify AuditTrail V2 EventCode=6003   
EventType=4 Type=Information   
ComputerName=member.acme.vms User=NOT_TRANSLATED   
Sid=S-1-5-21-3789923312-3040275127-1160560412-500   
SidType=0 TaskCategory=%1 OpCode=Info RecordNumber=51645  
Keywords=Classic Message=Product: Centrify Suite Category:  
DirectAuthorize - Windows Event name: Remote login success   
Message: User successfully logged on remotely using role   
'ROLE_Windows_Local_Accounts/Global'.  
Apr 05 14:15:37 member.acme.vms dzagent[1496]: INFO AUDIT_TRAIL|Centrify
Suite|DirectAuthorize - Windows|1.0|3|Remote login success|5|user=
administrator@member.acme.vms userSid=S-1-5-21-
3789923312-3040275127-1160560412-500 sessionId=6 CentrifyEventID=6003
DAInst=AuditingInstallation DASessID=c72252aa-e616-44ff-a5f6-d3f53f09bb67
role=ROLE_Windows_Local_Accounts/Global
desktopguid=a16f50d8-179b-4d47-93ed-14c10ca76d63

Windows Audit Event Log Line Information

The following table provides definitions for each field type and name with their associated field value for the previous example.

Windows Audit Event Log Line Information

Field Type	Field Name	Sample Field Value
Syslog header fields	Timestamp	Apr 05, 2016 02:15:37 PM
	Host Name	member.acme.vms
	Process Name	dzagent
	Process ID	1496
	Log Level	INFO
Centrify audit event header fields	Event Type	AUDIT_TRAIL
	Product	Centrify Suite
	Category	privilege elevation service - Windows
	Product Version	1.0
	Event ID	3
	Event Name	Remote login success
	Severity	5
Centrify audit event common fields for Windows	user	administrator@member.acme.vms
	userSid	S-1-5-21-3789923312-3040275127-1160560412-500
	DAInst	AuditingInstallation
	DASessID	c72252aa-e616-44ff-a5f6-d3f53f09bb67
	sessionId	6
	CentrifyEventID	6003
Centrify audit event-specific fields	role	ROLE_Windows_Local_Accounts/Global
	desktopguid	a16f50d8-179b-4d47-93ed-14c10ca76d63

UNIX/Linux Audit Event Log Line Example

The following is an example of a UNIX/Linux audit event. Centrify audit event information is highlighted in red.

Apr 4 21:04:15 engcen6 adclient[1749]: INFO   
AUDIT_TRAIL|Centrify Suite|Centrify sshd|1.0|100|SSHD granted|5|user=
dwirth(type:ad,dwirth@acme.vms) pid=7456 utc=1459784055479
CentrifyEventID=27100DAInst= AuditingInstallation
DASessID=c72252aa-e616-44ff-a5f6 -d3f53f09bb67 status=GRANTED
service=ssh-connection tty=/dev/pts/0 authMechanism=keyboard-interactive client=
192.168.81.11 sshRights=shell command=(none)

UNIX/Linux Audit Event Log Information

The following table provides definitions for each field type and name with their associated field value for the previous example.

UNIX/Linux Audit Event Log Information

Field Type	Field Name	Sample Field Value
Syslog header fields	Timestamp	Apr 4 21:04:15
	Host Name	engcen6
	Process Name	adclient
	Process ID	1749
	Log Level	INFO
Centrify audit event header fields	Event Type	AUDIT_TRAIL
	Product	Centrify Suite
	Category	Centrify sshd
	Product Version	1.0
	Event ID	100
	Event Name	SSHD granted
	Severity	5
Centrify audit event common fields	user	dwirth(type:ad,dwirth@acme.vms)
	pid	7456
	utc	1459784055479
	CentrifyEventID	27100
	DAInst	AuditingInstallation
	DASessID	c72252aa-e616-44ff-a5f
	service	ssh-connection
Centrify audit event-specific fields	tty	/dev/pts/0
	authMechanism	keyboard-interactive
	client	192.168.81.11
	sshRights	shell
	command	(none)