Auditing user activity on a managed computer

When you install the Centrify agent for Windows on a computer, you have the option to enable access management, auditing, or both. If you enable auditing features, the agent can capture detailed information about user activity and all of the events that occurred in each user session on the managed computer. The user activity captured includes an audit trail of the actions a user has taken and a video record of everything displayed on the screen. For users who have privileged access to computers and applications, the audit and monitoring service helps ensure accountability and improve regulatory compliance. By recording user sessions, you can see exactly who had access to which computers and what they did, including any changes they made to key files or configurations.

The audit and monitoring service collects user activity as it occurs. The recorded activity is transferred to a Microsoft SQL Server database so that it is available for querying and playback. You can search the stored user sessions to look for policy violations, user errors, or malicious activity.

To ensure scalability and enterprise readiness, the auditing infrastructure consists of multiple components called a audit and monitoring service installation:

  • Audited computers are the computers on which you want to monitor activity. To be audited, the computer must have the Centrify agent for Windows installed with auditing enabled and be joined to an Active Directory domain.
  • One or more collectors receive the captured activity from the agents on audited computers and forward it to an audit store database.
  • An audit store defines a scope, such as an Active Directory site or a subnet, and one or more databases that store captured activity and audit trail records from the collectors and store it for querying.
  • A management database keeps track of all the agents, collectors, and audit stores that make up a single DirectAudit installation.
  • Consoles enable administrators to configure and manage all of the audit-related components and auditors to query and review user sessions.

When you enable auditing on a computer with the Centrify agent for Windows, the agent captures user activity on that computer and forwards it to a collector computer. If no collectors are available, the agent caches the session data locally and transfers it to a collector later. The collector sends the data to an audit store database. When administrators or auditors want to review the captured data, they use the Audit Analyzer to search for and play back the session. The Audit Analyzer connects to the management database which retrieves the data from the appropriate audit store. The administrator can control the audit data available to any specific user or group through auditor roles that limit audit access rights and privileges.

The following figure illustrates the basic architecture and workflow in a small scale installation.