Re: Integrating Centrify Server Suite with SIEM Tools – Part 2, integration with Splunk

Integrating Centrify Server Suite with SIEM Tools – Part 2, integration with Splunk

By Centrify Contributor II ‎07-08-2016 10:44 AM

In the previous post on Integrating Centrify Server Suite with SIEM tools, we covered that Centrify Server Suite (CSS) is an agent-based solution for unified identity management across Windows, Linux and UNIX systems. The CSS agent can track over 300 different types of events in real-time on 450+ flavors of Windows, Linux and UNIX machines.


In this post, we cover how to integrate the Centrify events into your existing Splunk deployment.  


Getting Started

First, how do I get Centrify events into Splunk? Centrify events are available locally in standard logs either in *Nix syslogs or Windows event logs. Install Splunk Forwarder to centrally consolidate and index all Centrify events on machines with Centrify Agent running.  To easily configure the location of the Centrify events use the Centrify Splunk Add-On, follow the installation guide for instructions on how to install the Centrify Add-on.


Check if events are forwarded, by clicking on Data Summary as shown below on the Splunk Web interface.

Screen Shot 2016-07-07 at 12.34.18 PM.png


View Centrify events by searching for “Audit_Trail”, you should see all the Centrify events.

Screen Shot 2016-07-07 at 12.35.31 PM.jpg


Normalizing events

Install the Centrify Splunk Add-on on the Splunk Server to normalize Centrify events, follow the instructions in the installation guide. Once the events are centrally collected and indexed within splunk, you can find the relevant events via the splunk search interface. To enable finding Centrify events and Centrify fields easily, we have created 18 event types within Splunk and custom parsed all the Centrify fields into Splunk.


Find below a list of all the categorized events, we’ve mapped all the event categories listed in the Centrify Server Suite events document here. 

Centrify Event Category

Splunk Event Type

DirectAudit System Management


Audit Manager


Audit Analyzer


DirectAuthorize - Windows


DirectAudit ­ Windows


Centrify Configuration


DirectControl UNIX Agent


DirectAudit UNIX Agent


Centrify Commands


Trusted Path












Local Account Management


Centrify sshd





After Installing the Centrify Add-on, you would see “Centrify Add-on for Splunk” enabled in your Apps as shown below.

Screen Shot 2016-07-07 at 12.48.30 PM.png

Leveraging Splunk’s Common Information Model  

Splunk’s CIM enables tagging of common events from different vendors or source types, by enabling this Splunk unifies events from data domain of interest across the enterprise. Splunk has defined around 23 data models today and is rapidly growing. We’ve taken over a dozen events and mapped to Splunk’s Authentication data model.    


Shown below, how to find events that are mapped into the authentication data model.



To summarize, CSS Standard edition captures all logon and privilege activity on any machines that have a CSS agent running – the event is stored in CEF format in Syslog on Linux/ UNIX machines and is stored in Event logs on Windows machines. You can now ingest Centrify events to Splunk and normalize the Centrify data leveraging our Splunk Add-on, easily.


In my next post I’ll demonstrate how one could leverage these events in your IBM QRadar Deployment. Meanwhile, you can try Splunk integration today with a free trial of Centrify Server Suite Standard Edition. If you are already a Centrify customer and want to learn more, please contact your Centrify account team.



Centrify Splunk Installation guide

Centrify Splunk Add-on Binary

By thesilverfox
on ‎02-07-2018 07:57 AM



I am forwarding events from my Windows Servers that is running Admin Manager using snark agent.

My Centrify for splunk add-on dashboard is empty. Not getting any of the windows events/changes to appear on the Splunk dashboard.


Any help is appreciated



By Centrify Guru I
on ‎02-07-2018 08:33 AM



Welcome to the Centrify forums.


I am assuming you want events from Access Manager to show up in your dashboard?  (e.g. added zones, deleted zones, etc.)  <= I could be wrong, plus that you have Direct Audit installed in the target monitored system.


Are your events showing-up in the Windows systems in the first place?


For this to happen, you need to configure the Audit Trail GPO to do so.

@scurvy wrote about it a while back here:


This entails setting-up these GPOs:



Please let us know your results.



By thesilverfox
on ‎02-07-2018 08:49 AM


I am getting my Audit Trail events into the SIEM/Splunk, but the dashboard is not showing these events



11:27:17.000 AM

Feb 7 11:27:17 dv0centrify01.sram.local MSWinEventLog 1 Application 501 Wed Feb 07 11:27:17 2018 6033 Centrify AuditTrail V2 SRAM\chris.fumai.adm N/A Information dv0centrify01.sram.local None Product: Centrify Suite Category: DirectAuthorize - Windows Event name: Remote login success Message: User successfully logged on remotely using role 'Windows Login/Global'. Feb 07 11:27:17 dv0centrify01.sram.local dzagent[3004]: INFO AUDIT_TRAIL|Centrify Suite|DirectAuthorize - Windows|1.0|33|Remote login ......... userSid=S-1-5-21-1650416381-2468768347-1417404286-3847 sessionId=2 centrifyEventID=6033 DAInst=N/A DASessID=N/A role=Windows Login/Global desktopguid=3c050125-4769-446b-bd08-6dd05b0fb675 entityname=sram.local\\DV0CENTRIFY01 mfarequired=False 116



By thesilverfox
on ‎02-07-2018 08:57 AM

I have also just enabled this GPO Policy but that did not seem to change anything.


Just made an update in my Global Zone. added a new user. I can see the entry in my SIEM index search but

the Centrify dashboard is not showing anything.



By Centrify Contributor II
on ‎02-07-2018 09:59 AM

Looks like you have Audit Trail event show up in Windows Event Logs but not in Splunk. 


It could be a source_type issue. Can you may be open a support ticket to help get to the bottom of this better pls? 



Product Manager

Showing results for 
Search instead for 
Do you mean 

Community Control Panel