How to read Centrify audit event data

The following information can help you understand how to read Centrify audit events.

Event ID / CentrifyEventID

Every Windows and UNIX/Linux audit event includes two numeric IDs that describe the event. The Event ID in the header fields identifies the unique ID of the event within a particular event category, whereas the centrifyEventID in the common fields identifies the unique ID among all Centrify audit event types.

Windows example

Centrify audit event header fields

Category

privilege elevation service - Windows

Product Version

1.0

Event ID

3

Event Name

Remote login success

Severity

5

Centrify audit event common fields

 

user

administrator@member.centrify.vms

userSid

S-1-5-21-3789923312-3040275127-1160560412-500

DAInst

AuditingInstallation

DASessID

c72252aa-e616-44ff-a5f6-d3f53f09bb67

sessionId

6

centrifyEventID

6003

UNIX/Linux example

Centrify audit event header fields

Event Type

AUDIT_TRAIL

Product

Centrify Suite

Category

Centrify sshd

Product Version

1.0

Event ID

100

Event Name

SSHD granted

Severity

5

Centrify audit event common fields

user

dwirth(type:ad,dwirth@CENTRIFY.VMS)

pid

7456

utc

1459784055479

centrifyEventID

27100

DAInst

AuditingInstallation

DASessID

c72252aa-e616-44ff-a5f6-d3f53f09bb67

status

GRANTED

service

ssh-connection

Severity

Severity is defined by an integer from 0 - 10, with 10 being the most important level. Centrify events are typically a Severity 5.

Spacing

A field name is one word (no spaces) in the audit event file. When the file is processed into a readable format, spaces are added to field names. For example, if you need to search for Management Database Property, you should search on the following term: managementdatabaseproperty.

Case-insensitive field names

Use case-insensitive field names in all search filters.