Configuring the Audit Event Log Location

You can configure audit event logs to go to DirectAudit or your system’s default logging system (Windows event log or UNIX syslog). You configure the log location either manually for each computer or by way of group policy.

You can also configure a global audit event logging behavior or specify different settings for different feature areas.

Configuring the Audit Event Logging Location by Group Policy

Audit trail group policies are located in category-specific subfolders (such as Audit Analyzer Settings, Audit Manager Settings, and so on.

Additionally, a Centrify Global Settings subfolder contains group policies that you can set at a global level.

Any category-specific audit trail targets that you set (for example, Audit Manager Settings > Send audit trail to log file) override global audit trail targets (for example, Centrify Global Settings > Send audit trail to log file). Each subfolder in Centrify Audit Trail Settings contains the same set of group policies.

To send audit trail events to both the database and the local logging facility, enable both of these group policies.

Send Audit Trail to Audit Database

Enable this group policy to specify that audit events for this component Audit Analyzer, Audit Manager, and so on are sent to the active audit store database.

See the Explain tab in the group policy for details about which parameter each group policy sets in the agent configuration file.

Send Audit Trail to Log File

Enable this group policy to specify that audit events for this component such as Audit Analyzer, Audit Manager, and so on are sent to the local logging facility (syslog on UNIX systems, Windows event log on Windows systems).

See the Explain tab in the group policy for details about which parameter each group policy sets in the agent configuration file.

Set Global Audit Trail Targets

Specify the target for audit trail information.

If you set this group policy to Not configured or Disabled, the destination of audit trail information depends on which version of DirectAudit is installed. If DirectAudit 3.2 or later is installed, audit trail information is sent to the local logging facility and DirectAudit. If a DirectAudit version earlier than 3.2 is installed, audit trail information is only sent to the local logging facility.

If you set this group policy to Enabled, you can specify the target for audit trail information. Possible settings are:

  • 0 (Audit information is not sent.)
  • 1 (Audit information is sent to Centrify Audit & Monitoring Service. This capability is supported by DirectAudit version 3.2 and later.)
  • 2 (Audit information is sent to the local logging facility, either syslog on UNIX systems or Windows event log on Windows systems.)
  • 3 (Audit information is sent to both DirectAudit and the local logging facility.)

This group policy modifies the audittrail.targets setting in the agent configuration file.