event.file.monitor
Use the event.file.monitor parameter to enable advanced monitoring for configuration files. To use this parameter, you must have enabled the agent to perform advanced monitoring with the command dacontrol -m.
If advanced monitoring is enabled for files, the auditing service monitors any activity in the following folders:
- /etc/
- /var/centrify/
- /var/centrifydc/
- /var/centrifyda/
The default value for the event.file.monitor parameter is true.
In the audit.log file, you can find these events by looking for the cda_file_monitor_write messages. In the cdc.log file you can find them by looking for the Emit AUDIT_TRAIL.