After the installation of the Centrify Add-on for Splunk is complete, all of the new Centrify audit trail events should be parsed and indexed by Splunk.
Sample Searches
Use the following sample searches to validate your installation:
-
Search all Centrify logs generated on Windows Agents:
Search eventtype=centrify_windows_audit_trail_logs -
Search All Audit Analyzer-related logs:
Search eventtype=Centrify_audit_analyzer -
Search all successful/granted DirectAuthorize-Windows logs:
Search eventtype=centrify_directauthorize_windows eventstatus=GRANTED -
Search all failed/denied DirectAuthorize-Windows logs:
Search eventtype=centrify_directauthorize_windows eventstatus=DENIED
The search results for all Centrify logs generated on Windows Agents is shown in the following example:
Doc Feedback