Configuring advanced monitoring

You have some options and choices as to how you configure advanced monitoring. To use any of these parameters, you must also enable advanced monitoring (by using the dareload -m command or the “Enable Advanced Monitoring” group policy). Here’s a list of the configuration parameters that you can edit in the centrifyda.conf file:

  • event.file.monitor

    Use the event.file.monitor parameter to enable advanced monitoring for configuration files.

  • event.file.monitor.process.skiplist

    For any areas that you’ve specified to monitor (using event.file.monitor), use the event.file.monitor.process.skiplistparameter to ignore any specific processes in those areas.

  • event.file.monitor.user.skiplist

    Use the event.file.monitor.user.skiplist parameter to specify a list of users to exclude from advanced monitoring for files. For these users, the auditing service does not record any write access to directories specified in event.file.monitor.

  • event.execution.monitor

    Use the event.execution.monitor parameter to monitor all programs that users run in an audited session.

  • event.monitor.commands

    Use the event.monitor.commands parameter to specify a list of commands to monitor. Be sure to list each command using the full path name of the command. The auditing service generates an audit trail event when a user runs any of these monitored commands, unless the user is listed in the event.monitor.commands.user.skiplist parameter.

  • event.monitor.commands.user.skiplist

    Use the event.execution.monitor.user.skiplist parameter to specify a list of users to exclude from advanced monitoring for program execution. For these users, the auditing service does not record any programs that they run, even when the parameter event.execution.monitor is set to true.

After you make the configuration changes in the centrifyda.conf file, run the dareload -m command to apply the changes.