Centrify Privilege Elevation Service – Windows
Centrify Privilege Elevation Service for Windows provides role-based access control for Windows desktops and applications, and to remote Windows servers. Centrify Privilege Elevation Service for Windows audit events focus on successful and failed local console and remote log in attempts, administrative activity using desktop or application privileges, network access to remote servers, changes to the zone information for Windows computers and changes to role information for Windows users.
Centrify Privilege Elevation Service Windows Audit Event Log Sample
The following is a sample of an audit event log for Centrify Audit Event ID 6029. This log sample documents a user with local and network role privileges launching a .msc file.
Log Name: Application
Source: Centrify AuditTrail V2
Date: 9/19/2019 2:05:17 PM
Event ID: 6029
Task Category: None
Level: Information
Keywords: Classic
User: bob@acme.vms
Computer: member.acme.vms
Description:
Product: Centrify Suite
Category: DirectAuthorize - Windows
Event name: Run with privilege success
Message: User launched 'C:Program FilesCentrifyAccess
ManagerCentrifyDC.msc' on
desktop 'Default' using local role 'ROLE_SYSTEM_Archt/Global'
and network roles 'ROLE_SYSTEM_Archt/Global'.
Sep 19 14:05:17 member.acme.vms dzagent[1348]:
INFO AUDIT_TRAIL|Centrify Suite|DirectAuthorize - Windows|1.0|29|Run with
privilege
success|5|bob@acme.vms
userSid=S-1-5-21-569763308-1211465464-1224152175-3219
sessionId=3 CentrifyEventID=6029
DAInst=AuditingInstallation DASessID=c72252aa-e616-44ff-a5f6-d3f53f09bb67
role=ROLE_SYSTEM_Archt/Global
effectivesid=S-1-5-21-569763308-1211465464-1224152175-3219
effectivegroupsids=S-1-5-32-544
logonguid=ad7b6538-e2a4-4304-ab6e-86c5b0dabfaf
desktopguid=1e09a3dd-276f-4629-bb27-e215dfe0a0c8
command=C:Program FilesCentrifyAccessManagerCentrifyDC.msc
passwordprompted=False desktopname=Default
networkroles=ROLE_SYSTEM_Archt/Global
entityname=acme.vms mfarequired=False
Centrify Privilege Elevation Service - Windows Audit Events
Privilege elevation service - Windows Audit Events
| Event ID | Description | Parameters |
|---|---|---|
| 6001-Deprecated | Console login success This event has been deprecated. Use Centrify Event Id 6031 introduced in release 2017.2 instead. | Role: role DesktopGuid: desktop GUID |
| 6002-Deprecated | Console login failure This event has been deprecated. Use Centrify Event Id 6032 introduced in release 2017.2 instead. | |
| 6003-Deprecated | Remote login success This event has been deprecated. Use Centrify Event Id 6033 introduced in release 2017.2 instead. | Role: role DesktopGuid: desktop GUID |
| 6004-Deprecated | Remote login failure This event has been deprecated. Use Centrify Event Id 6034 introduced in release 2017.2 instead. | |
| 6005-Deprecated | Run with privilege success This event has been deprecated. Use Centrify Event Id 6029 introduced in release 2017.2 instead. | Role: local role EffectiveSid: effective user SID EffectiveGroupSids: effective group SID's LogonGuid: logon GUID DesktopGuid: desktop GUID Command: command |
| 6006-Deprecated | Run with privilege failure This event has been deprecated. Use Centrify Event Id 6030 introduced in release 2017.2 instead. | Role: local role DesktopGuid: desktop GUID Command: command |
| 6007-Deprecated | Create desktop success This event has been deprecated. Use Centrify Event Id 6035 introduced in release 2017.2 instead. | Role: local role EffectiveSid: effective user SID EffectiveGroupSids: effective group SID's LogonGuid: logon GUID DesktopGuid: desktop GUID |
| 6008-Deprecated | Create desktop failure This event has been deprecated. Use Centrify Event Id 6036 introduced in release 2017.2 instead. | Role: local role |
| 6009-Deprecated | Network access success This event has been deprecated. Use Centrify Event Id 6039 introduced in release 2017.2 instead. | Role: role EffectiveSid: effective user SID EffectiveGroupSids: effective group SID's LogonGuid: logon GUID |
| 6010-Deprecated | Console logon failure This event has been deprecated. Use Centrify Event Id 6032 introduced in release 2017.3 instead. | Reason: reason |
| 6011-Deprecated | Remote login failure This event has been deprecated. Use Centrify Event Id 6034 introduced in release 2017.2 instead. | Reason: reason |
| 6012-Deprecated | Run with privilege success This event has been deprecated. Use Centrify Event Id 6029 introduced in release 2017.2 instead. | Role: local role EffectiveSid: effective user SID EffectiveGroupSids: effective group SID's LogonGuid: logon GUID DesktopGuid: desktop GUID Command: command PasswordPrompted: whether user was required to re-enter their password DesktopName: desktop name NetworkRoles: network roles |
| 6013-Deprecated | Run with privilege failure This event has been deprecated. Use Centrify Event Id 6030 introduced in release 2017.2 instead. | Role: local role DesktopGuid: desktop GUID Command: command Reason: reason DesktopName: desktop name NetworkRoles: network roles |
| 6014-Deprecated | Create desktop success This event has been deprecated. Use Centrify Event Id 6035 introduced in release 2017.2 instead. | Role: local role EffectiveSid: effective user SID EffectiveGroupSids: effective group SID's LogonGuid: logon GUID DesktopGuid: desktop GUID PasswordPrompted: whether user was required to re-enter their password DesktopName: desktop name NetworkRoles: network roles |
| 6018-Deprecated | Run with privilege failure This event has been deprecated. Use Centrify Event Id 6030 introduced in release 2017.2 instead. | Role: local role DesktopGuid: desktop GUID Command: command Reason: reason DesktopName: desktop name NetworkRoles: network roles PasswordPrompted: whether user was required to re-enter their password |
| 6023 | Leave from zone success | zone: zone name ZoneDomainName: zone domain name ComputerName: computer name ComputerDomainName: computer domain name LogonUser: logon user LogonUserSid: logon user SID AlternateUser: whether alternate user is used to perform the operation |
| 6027 | Add role assignment success | zone: zone name ZoneDomainName: zone domain name RoleName: role name Assignee: assignee LogonUser: logon user LogonUserSid: logon user SID AlternateUser: whether alternate user is used to perform the operation |
| 6028 | Add role assignment failure | zone: zone name ZoneDomainName: zone domain name RoleName: role name Assignee: assignee Reason: reason LogonUser: logon user LogonUserSid: logon user SID AlternateUser: whether alternate user is used to perform the operation |
| 6029 | Run with privilege success | Role: local role EffectiveSid: effective user SID EffectiveGroupSids: effective group SID's LogonGuid: logon GUID DesktopGuid: desktop GUID Command: command PasswordPrompted: whether user was required to re-enter their password DesktopName: desktop name NetworkRoles: network roles EntityName: Entity Name MFARequired: whether user was required to do MFA |
| 6030 | Run with privilege failure | Role: local role DesktopGuid: desktop GUID Command: command Reason: reason DesktopName: desktop name NetworkRoles: network roles PasswordPrompted: whether user was required to re-enter their password EntityName: Entity Name MFARequired: whether user was required to do MFA |
| 6031 | Console login success | Role: role DesktopGuid: desktop GUID EntityName: Entity Name MFARequired: whether user was required to do MFA |
| 6032 | Console logon failure | Reason: reason EntityName: Entity Name MFARequired: whether user was required to do MFA |
| 6033 | Remote login success | Role: role DesktopGuid: desktop GUID EntityName: Entity Name MFARequired: whether user was required to do MFA |
| 6034 | Remote login failure | Reason: reason EntityName: Entity Name MFARequired: whether user was required to do MFA |
| 6035 | Create desktop success | Role: local role EffectiveSid: effective user SID EffectiveGroupSids: effective group SID's LogonGuid: logon GUID DesktopGuid: desktop GUID PasswordPrompted: whether user was required to re-enter their password DesktopName: desktop name NetworkRoles: network roles EntityName: Entity Name MFARequired: whether user was required to do MFA |
| 6036 | Create desktop failure | Role: local role Reason: reason NetworkRoles: network roles PasswordPrompted: whether user was required to re-enter their password EntityName: Entity Name MFARequired: whether user was required to do MFA |
| 6037 | Switch desktop success | DesktopName: desktop name DesktopGuid: desktop GUID PasswordPrompted: whether user was required to re-enter their password Role: local role NetworkRoles: network roles EntityName: Entity Name MFARequired: whether user was required to do MFA |
| 6038 | Switch desktop failure | DesktopName: desktop name Reason: reason PasswordPrompted: whether user was required to re-enter their password EntityName: Entity Name MFARequired: whether user was required to do MFA |
| 6039 | Network access success | Role: role EffectiveSid: effective user SID EffectiveGroupSids: effective group SID's LogonGuid: logon GUID EntityName: Entity Name MFARequired: whether user was required to do MFA |
| 6040 | Self-service password reset success added in release 2017.3 | Username: username |
| 6041 | Self-service password reset failure added in release 2017.3 | Username: username Reason: failure reason |
| 6042 | Self-service account unlock success added in release 2017.3 | Username: username |
| 6043 | Self-service account unlock failure added in release 2017.3 | Username: username Reason: failure reason |
| 6044 | Enable Centrify Identity Services Platform succeeded added in release 2017.3 | PlatformInstance: Platform Instance |
| 6045 | Disable Centrify Identity Services Platform succeeded added in release 2017.3 | PlatformInstance: Platform Instance |
| 6046 | Enable Centrify Identity Services Platform failed added in release 2017.3 | PlatformInstance: Platform Instance Reason: Reason for failure |
| 6047 | Disable Centrify Identity Services Platform failed added in release 2017.3 | PlatformInstance: Platform Instance Reason: Reason for failure |
| 6048 | PowerShell remote connection success added in release 18.8 | User: user Role: role |
| 6049 | PowerShell remote connection failure added in release 18.8 | User: user Reason: reason |
| 6050 | Trouble ticket entered added in release 18.11 | ticket: ticket reason: reason for privilege elevation comment: additional comment |
| 6051 | Run with privilege as an alternate user success added in release 18.11 | Role: local role EffectiveSid: effective user SID EffectiveGroupSids: effective group SID's LogonGuid: logon GUID DesktopGuid: desktop GUID Command: command PasswordPrompted: whether user was required to re-enter their password DesktopName: desktop name NetworkRoles: network roles EntityName: Entity Name MfaRequired: whether user was required to do MFA AlternateUsername: An alternate username AlternateUserSid: An alternate user's SID |
| 6052 | Run with privilege as an alternate user failure added in release 18.11 | Role: local role DesktopGuid: desktop GUID Command: command Reason: reason DesktopName: desktop name NetworkRoles: network roles PasswordPrompted: whether user was required to re-enter their password EntityName: Entity Name MfaRequired: whether user was required to do MFA AlternateUsername: An alternate username AlternateUserSid: An alternate user's SID |
| 6053 | Windows authentication is skipped added in release 18.11 | service: service reason: Reason message for skip |
| 6054 | Run with alternate account success added in Release 2020 | Command: command AlternateUsername: alternate username tenant: tenant URL PasswordPrompted: whether user was required to re-enter their password |
| 6055 | Run with alternate account failure added in Release 2020 | Command: command AlternateUsername: alternate username tenant: tenant URL Reason: reason PasswordPrompted: whether user was required to re-enter their password |
| 6300 | Add roles and features success added in release 2018 | PID: process id user: username@domain status: succeeded feature: feature name computer: computer name |
| 6301 | Add roles and features failure added in release 2018 | PID: process id user: username@domain status: failed feature: feature name computer: computer name reason: reason for failure |
| 6302 | Remove roles and features success added in release 2018 | PID: process id user: username@domain status: succeeded feature: feature name computer: computer name |
| 6303 | Remove roles and features failure added in release 2018 | PID: process id user: username@domain status: failed feature: feature name computer: computer name reason: reason for failure |
| 6350 | Uninstall program success added in release 2018 | PID: process id user: username@domain status: program: program name computer: computer name |
| 6351 | Uninstall program failure added in release 2018 | PID: process id user: username@domain status: failed program: program name computer: computer name reason: reason for failure |
| 6352 | Change program success added in release 2018 | PID: process id user: username@domain status: program: program name computer: computer name |
| 6353 | Change program failure added in release 2018 | PID: process id user: username@domain status: failed program: program name computer: computer name reason: reason for failure |
| 6354 | Repair program success added in release 2018 | PID: process id user: username@domain status: succeeded program: program name computer: computer name |
| 6355 | Repair program failure added in release 2018 | PID: process id user: username@domain status: program: program name computer: computer name reason: reason for failure |
| 6400 | Enable network adapter success added in release 2018 | PID: process id user: username@domain status: succeeded adapter: adapter name computer: computer name |
| 6401 | Enable network adapter failure added in release 2018 | PID: process id user: username@domain status: failed adapter: adapter name computer: computer name reason: reason for failure |
| 6402 | Disable network adapter success added in release 2018 | PID: process id user: username@domain status: succeeded adapter: adapter name computer: computer name |
| 6403 | Disable network adapter failure added in release 2018 | PID: process id user: username@domain status: failed adapter: adapter name computer: computer name reason: reason for failure |
| 6404 | Rename network adapter success added in release 2018 | PID: process id user: username@domain status: succeeded adapter: adapter name computer: computer name |
| 6405 | Rename network adapter failure added in release 2018 | PID: process id user: username@status: failed adapter: adapter name computer: computer name reason: reason for failure |
| 6406 | Update IPv4 settings success added in release 2018 | PID: process id user: username@domain status: succeeded adapter: adapter name computer: computer name |
| 6407 | Update IPv4 settings failure added in release 2018 | PID: process id user: username@domain status: failed adapter: adapter name computer: computer name reason: reason for failure |
| 6408 | Update IPv6 settings success added in release 2018 | PID: process id user: username@domain status: succeeded adapter: adapter name computer: computer name |
| 6409 | Update IPv6 settings failure added in release 2018 | PID: process id user: username@domain status: failed adapter: adapter name computer: computer name reason: reason for failure |
| 6500 | Auto-enroll as corporate owned device success added in release 2018 | computer: computer name tenant: tenant URL |
| 6501 | Auto-enroll as corporate owned device failure added in release 2018 | computer: computer name tenant: tenant URL reason: reason for failure |
| 6502 | Unenroll device success added in release 2018 | user: user name computer: computer name |
| 6503 | Unenroll device failure added in release 2018 | user: user name computer: computer name reason: reason for failure |
| 6504 | Enroll as corporate owned device success added in release 2018 | user: user name computer: computer name tenant: tenant URL |
| 6505 | Enroll as corporate owned device failure added in release 2018 | user: user name computer: computer name tenant: tenant URL reason: reason for failure |
| 6506 | Enroll device success added in release 2018 | user: user name computer: computer name tenant: tenant URL |
| 6507 | Enroll device failure added in release 2018 | user: user name computer: computer name tenant: tenant URL reason: reason for failure |
| 6508 | Auto-unenroll success added in release 18.8 | computer: computer name |
| 6509 | Auto-unenroll failure added in release 18.8 | computer: computer name reason: reason for failure |
| 6510 | PowerShell remote command execution added in release 2020.1 | userSid: User SID userName: User name authMechanism: Authentication mechanism url: HTTP URL of inbound request command: PowerShell remote command isScript: Command is a remote script |