Verification

After the installation of the Centrify Add-on for Splunk is complete, all of the new Centrify audit trail events should be parsed and indexed by Splunk.

Sample Searches

Use the following sample searches to validate your installation:

  • Search all Centrify logs generated on Windows Agents:
    Search eventtype=centrify_windows_audit_trail_logs

  • Search All Audit Analyzer-related logs:
    Search eventtype=Centrify_audit_analyzer

  • Search all successful/granted DirectAuthorize-Windows logs:
    Search eventtype=centrify_directauthorize_windows eventstatus=GRANTED

  • Search all failed/denied DirectAuthorize-Windows logs:
    Search eventtype=centrify_directauthorize_windows eventstatus=DENIED

The search results for all Centrify logs generated on Windows Agents is shown in the following example: