How to Read Audit Event Data

The following information can help you understand how to read Centrify audit events.

Event ID/CentrifyEventID

Every Windows and UNIX/Linux audit event includes two numeric IDs that describe the event. The Event ID in the header fields identifies the unique ID of the event within a particular event category, whereas the CentrifyEventID in the common fields identifies the unique ID among all Centrify audit event types.

Windows Example

Centrify audit event header fields Category Privilege Elevation Service - Windows  
Product Version 1.0
Event ID 3
Event Name Remote login success 5
Centrify audit event common fields user administrator@member.acme.vms
userSid S-1-5-21-3789923312-3040275127-1160560412-500
DAInst AuditingInstallation
DASessID c72252aa-e616-44ff-a5f6-d3f53f09bb67
sessionId 6
Centrify EventID 6003

UNIX/Linux Example

AuditingInstallation | DASessID
Centrify audit event header fields Event Type AUDIT_TRAIL
Product Centrify Suite
Category Centrify sshd
Product Version 1.0
Event ID 100
Event Name SSHD granted
Severity 5
Centrify audit event common fields user dwirth(type:ad,dwirth@acme.vms)
pid 7456
utc 1459784055479
Centrify EventID 27100
DAInst
c72252aa-e616-44ff-a5f6-d3f53f09bb67
status GRANTED
service ssh-connection

Severity

Severity is defined by an integer from 0 - 10, with 10 being the most important level. Centrify events are typically a Severity 5.

Spacing

A field name is one word (no spaces) in the audit event file. When the file is processed into a readable format, spaces are added to field names. For example, if you need to search for Management Database Property, you should search on the following term: managementdatabaseproperty.

Case-Insensitive Field Names

Use case-insensitive field names in all search filters.