Enabling auditing for remote sessions

All components of the Privileged Access Service log audit trail events for the activity on systems, domains, databases, applications, and accounts that you add to the service. If you also want to audit user session activity initiated from the Admin Portal on target systems, you can enable the auditing and monitoring services that are part of the Privileged Access Service enterprise offering.

To prepare for auditing, you must have at least one working audit installation running in your environment. If you don’t have an audit installation and want to create one, you can download the auditing and monitoring services for Privileged Access Service from the Customer Support Portal on the Centrify website, then follow the instructions in the the Auditing Administrator’s Guide to set up a working environment.

The audit installation must include the following core components:

  • A management database to store installation information
  • The audit store and audit store database to define the scope and store session activity
  • At least two collectors to collect session activity and send it to the audit store database
  • The Audit Manager console to manage installation components, audit roles, and permissions
  • The Audit Analyzer console to view, query, and manage recorded activity

For information about creating the audit installation and configuring the core components of the installation, see the Auditing Administrator’s Guide or Installing Centrify Audit & Monitoring Service.

If you are familiar with auditing using the Centrify auditing infrastructure, you might have an agent installed on some or all of your target systems. However, the agent is not required to audit session activity on the remote target computers you have added to the Privileged Access Service. Instead, you can use the Centrify Connector to send session activity directly to the collector without installing an agent or the auditing service on the target system. The only additional requirement to enable auditing using the connector is that the computer you are using for the connector must be within the scope of an audit store—that is, the computer must be included in the site, subnet, or IP address identified as the audit store. The session activity for all target systems will be sent to the audit store that includes the computer where the connector is installed.

For more information about defining the scope for an audit store, see the Auditing Administrator’s Guide or Creating the first audit store. If you're working with systems inside of a DMZ, be sure to read Auditing systems that are inside a DMZ.