To understand the content of an audit record, you must first identify the event type of the audit record. This is because the data the record contains depends on the type of event that triggered the creation of the audit record.
Note: The order, number, and content of columns that you see for an audit log record depend on the method you choose to view the audit log. Some fields do not display in CA ControlMinder Endpoint Management, seaudit output, or the detailed seaudit output. Also, if you use the seaudit utility, the options you specify may also determine the number, order, and content of the columns.
To identify the event type of an audit record:
To display more information about the audit record, click the link audit event type in the first column.
Once you identify the event type, you can go on to interpret the rest of the message detail.
Example: Audit Records in CA ControlMinder Endpoint Management
The following image shows you how CA ControlMinder Endpoint Management presents audit events:
Example: Audit Records in Default seaudit Output
The following snippet of a seaudit output shows you how the seaudit utility presents audit events by default:
19 Dec 2008 16:46:47 P WINSERVICE TM123VM-AC\Administrator Read 1059 2 VMTools C:\WINDOWS\system32\services.exe TM123VM-AC 19 Dec 2008 16:46:52 P WINSERVICE TM123VM-AC\Administrator Read 1059 2 VMTools C:\WINDOWS\system32\services.exe TM123VM-AC 19 Dec 2008 16:46:53 P LOGIN TM123VM-AC\Administrator 55 2 TM123VM-AC C:\WINDOWS\system32\lsass.exe 19 Dec 2008 16:46:57 P WINSERVICE TM123VM-AC\Administrator Read 1059 2 VMTools C:\WINDOWS\system32\services.exe TM123VM-AC 19 Dec 2008 16:47:02 P WINSERVICE TM123VM-AC\Administrator Read 1059 2 VMTools C:\WINDOWS\system32\services.exe TM123VM-AC 19 Dec 2008 16:47:07 P WINSERVICE TM123VM-AC\Administrator Read 1059 2 VMTools C:\WINDOWS\system32\services.exe TM123VM-AC 19 Dec 2008 16:47:12 P WINSERVICE TM123VM-AC\Administrator Read 1059 2 VMTools C:\WINDOWS\system32\services.exe TM123VM-AC 19 Dec 2008 16:47:16 S UPDATE GROUP TM123VM-AC\Administrator 336 0 test TM123VM-AC egtest audit- 19 Dec 2008 18:28:18 P LOGIN TM123VM-AC\Administrator 55 10 TM123VM-AC selang 19 Dec 2008 18:28:18 S UPDATE TERMINAL TM123VM-AC\Administrator 305 0 TM123VM-AC-SC1.ca.com TM123VM-AC er terminal TM123VM-AC-SC1.ca.com
The detailed seaudit output for the first message above is as follows:
19 Dec 2008 16:46:47 P WINSERVICE TM123VM-AC\Administrator Read 1059 2 VMTools C:\WINDOWS\system32\services.exe TW852VM-AC Event type: Resource access Status: Permitted Class: WINSERVICE Resource: VMTools Access: Read User name: TM123VM-AC\Administrator User Logon Session ID: 00000000:05647d29 Terminal: TM123VM-AC Program: C:\WINDOWS\system32\services.exe Date: 19 Dec 2008 Time: 16:46 Details: Default record universal access check Audit flags: AC database user
Copyright © 2013 CA Technologies.
All rights reserved.
|
|