× Welcome to the Centrify Community! We are rolling out product name changes — click here to learn more.

SIEM Integration - Understanding Centrify's Audit Events

SIEM Integration - Understanding Centrify's Audit Events

By Centrify Contributor I 2 weeks ago - last edited 2 weeks ago

In this post, I'd cover some of the key audit events Centrify helps capture and where to find the logs to easily forward these to SIEMs and other tools.

 

In my next post, I’d integrate the Audit logs from Centrify Identity Services Platform into Splunk to demonstrate the end to end Audit trail experience of a user.

 

What are some key Centrify Audit events?

 

Centrify Login Events: These events are generated when Centrify is used to authenticate the access to Portal, App or Infrastructure. 

 

Oct 9 16:54:09 engcen6 centrify-syslog-writer[97]: INFO Centrify|Cloud.Core|Cloud.Core.MfaSummary| FactorCount="1" EventType="Cloud.Core.MfaSummary" EventMessage="Authentication using UP, result: Failed" FactorPasswordLocalized="Failed" RequestHostName="216.112.107.101" FromIPAddress="216.112.107.101" ClientIPAddress="216.112.107.101" AzDeploymentId="17c473add8114981bf6e6d94a556c69e" NormalizedUser="dwirth@centrify.vms" WhenOccurred="/Date(1507585835959)/" InternalTrackingID="ca9b1f9a37544b16a03d35ab3ae15ebf" MfaUnlock="False" MfaResultLocalized="Failed" MfaReason="Authentication using authentication profile 'Strong Factors - Authentication'." EntityName="Portal" EndpointOnPremise="False" RequestIsMobileDevice="False" Level="Warning" DirectoryServiceNameLocalized="Active Directory (centrify.vms)" ID="772af0a03a153f1a.W03.6944.fcd2628f875acc14" RequestUserAgent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36" Tenant="AAA3182" UserGuid="c4a3c58b-e44f-4eb0-91db-d6ed0cc79f62" whenoccurreddate="2017-10-09T21:50:35.959000Z" MfaInitiatorLocalized="Authentication" FactorsLocalized="Password" DirectoryServiceUuid="1281dec1-2c1d-758e-a667-d4f7b2fd9972" RequestDeviceOS="Mac" EntityType="Portal" ForgotPassword="False" AzRoleId="WebRole_IN_3" ThreadType="RestCall" InternalSessionId="241fb34e-cef1-4807-a72b-255293eb593f" DenyByUser="False" WhenLogged="/Date(1507585835959)/" DirectoryServiceName="AdProxy" MfaUpgrade="False" ProfileName="Strong Factors - Authentication" Factors="UP" FailReason="Challenge not answered or answered incorrectly" MfaInitiator="Authentication" AzRoleName="WebRole" ProfileId="2e93f3a5-3c8d-478d-91cf-e9d8e1af46fa" FactorPassword="Failed" MfaResult="Failed" EndpointKnown="True" AuthMethod="None" Session="hg__L378_kCbYzI4EQHggoOwqbZCtqmm8h0zbpDSqmY1"

 

Apr 20 14:51:18 sol112x64v3 adclient[5640]: [ID 702911 auth.info] INFO AUDIT_TRAIL|Centrify Suite|MFA|1.0|100|MFA challenge succeeded|5|user=laniu1(type:ad,laniu1@SINGLE01.CDC) pid=6160 utc=1461135078139 centrifyEventID=54100 DAInst=AuditingInstallation DASessID=c72252aa-e616-44ff-a5f6-d3f53f09bb67 status=SUCCEED service=sshd tty=ssh client=::1 challenge=EMAIL

 

Oct 9 16:54:54 engcen6 adclient[1642]: INFO AUDIT_TRAIL|Centrify Suite|PAM|1.0|500|PAM open session granted|5|user=dwirth(type:ad,dwirth@CENTRIFY.VMS) pid=28686 utc=1507586094795 centrifyEventID=24500 DASessID=164686bd-7524-5040-99d1-287982aa3a58 DAInst=DefaultInstallation status=GRANTED service=sshd tty=ssh client=192.168.81.11 

 

Centrify Privileged Elevation Events: These events are generated when the User elevates the privilege either on a Windows / *Nix machine.

10/06/2017 04:50:11 PM LogName=Application SourceName=Centrify AuditTrail V2 EventCode=6031 EventType=4 Type=Information ComputerName=member.centrify.vms User=NOT_TRANSLATED Sid=S-1-5-21-3883016548-1611565816-1967702834-1107 SidType=0 TaskCategory=%1 OpCode=Info RecordNumber=53381 Keywords=Classic Message=Product: Centrify Suite Category: DirectAuthorize - Windows Event name: Console login success Message: User successfully logged on locally using role 'ROLE_SYSTEM_Archt/Global'. Oct 06 16:50:11 member.centrify.vms dzagent[1632]: INFO AUDIT_TRAIL|Centrify Suite|DirectAuthorize - Windows|1.0|31|Console login success|5|user=dwirth@centrify.vms userSid=S-1-5-21-3883016548-1611565816-1967702834-1107 sessionId=5 centrifyEventID=6031 DAInst=DefaultInstallation DASessID=c0f76cae-a56f-481d-bd3c-da7e708b02e0 role=ROLE_SYSTEM_Archt/Global desktopguid=86c6bf43-baa1-46d9-a35c-54e6bdf033d8 entityname=centrify.vms\\MEMBER$ mfarequired=False

 

Oct 3 17:07:42 engcen6 adclient[9586]: INFO AUDIT_TRAIL|Centrify Suite|dzdo|1.0|0|dzdo granted|5|user=dwirth(type:ad,dwirth@CENTRIFY.VMS) pid=28570 utc=1507068462898 centrifyEventID=30000 DASessID=5ee96dfb-9ffb-3d49-9ac9-4b78139698e2 DAInst=DefaultInstallation status=GRANTED service=dzdo command=/sbin/service runas=root role=ROLE_SYSTEM_Archt/Global env=(none)

 

Cloud.Core.Server.Account.PasswordExport: These events are generated for every password is checked out leveraging Centrify's Infrastructure Service.

Oct 10 11:19:39 engcen6 centrify-syslog-writer[141]: INFO Centrify|Cloud.Server|Cloud.Server.LocalAccount.PasswordExport| AuthMethod="UserPassword" ComputerName="CentOs-Server" AccountName="root" FromIPAddress="216.112.107.101" ThreadType="RestCall" RequestUserAgent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36" InternalTrackingID="d7cde9b6c9be4df7af9705452750e633" UserGuid="c4a3c58b-e44f-4eb0-91db-d6ed0cc79f62" AuthorityID="27878df3-3f3f-4b6e-97e9-ed4e7c50dc35" CheckedOut="True" AuthorityFQDN="192.168.81.26" Level="Info" AuthoritySource="192.168.81.26" Tenant="AAA3182" DirectoryServiceNameLocalized="Active Directory (centrify.vms)" RequestHostName="216.112.107.101" RequestDeviceOS="Mac" InternalSessionId="241fb34e-cef1-4807-a72b-255293eb593f" whenoccurreddate="2017-10-10T16:15:48.986000Z" AzRoleName="WebRole" AzDeploymentId="17c473add8114981bf6e6d94a556c69e" WhenOccurred="/Date(1507652148986)/" WhenLogged="/Date(1507652148986)/" WhenDueBack="/Date(1507655748736)/" ID="772af005d470729b.W03.7845.fcd2628f875acc14" AccountID="2ce889e8-b74b-4c1f-8283-1ca677a3d1f0" UserType="User" EventMessage="dwirth@centrify.vms checked out local account "root" password for "CentOs-Server"(192.168.81.26)" EventType="Cloud.Server.LocalAccount.PasswordExport" ComputerFQDN="192.168.81.26" AuthorityType="Local" DirectoryServiceUuid="1281dec1-2c1d-758e-a667-d4f7b2fd9972" NormalizedUser="dwirth@centrify.vms" AuthorityName="CentOs-Server" DirectoryServiceName="AdProxy" AzRoleId="WebRole_IN_3" RequestIsMobileDevice="False" ComputerID="27878df3-3f3f-4b6e-97e9-ed4e7c50dc35" ClientIPAddress="216.112.107.101"

 

Cloud.Core.Server.Account.SessionStart: This event is generated when a remote session start happened

Oct 10 11:19:39 engcen6 centrify-syslog-writer[141]: INFO Centrify|Cloud.Server|Cloud.Server.LocalAccount.SessionStart| AuthMethod="None" ComputerName="CentOs-Server" SessionGuid="572c0ba3-5b64-4128-933c-c3cc5bd8576b" FromIPAddress="216.112.107.101" ThreadType="Hub" RequestUserAgent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36" InternalTrackingID="0531b5759fd44a18b586fb615561eeac" UserGuid="c4a3c58b-e44f-4eb0-91db-d6ed0cc79f62" AuthorityID="27878df3-3f3f-4b6e-97e9-ed4e7c50dc35" AccountName="root" Level="Info" JumpType="Ssh" AuditState="None" SessionType="PV" Tenant="AAA3182" DirectoryServiceNameLocalized="Active Directory (centrify.vms)" RequestHostName="216.112.107.101" RequestDeviceOS="Mac" whenoccurreddate="2017-10-10T16:16:28.593000Z" AzRoleName="WebRole" AzDeploymentId="17c473add8114981bf6e6d94a556c69e" WhenOccurred="/Date(1507652188593)/" WhenLogged="/Date(1507652188593)/" ID="772af005bcd4e790.W00.8742.fcd2628f875acc14" AccountID="2ce889e8-b74b-4c1f-8283-1ca677a3d1f0" UserType="User" EventMessage="dwirth@centrify.vms logged in to system "CentOs-Server"(192.168.81.26) using local account "root" via Ssh" EventType="Cloud.Server.LocalAccount.SessionStart" ComputerFQDN="192.168.81.26" AuthorityFQDN="192.168.81.26" AuthorityType="Local" DirectoryServiceUuid="1281dec1-2c1d-758e-a667-d4f7b2fd9972" NormalizedUser="dwirth@centrify.vms" AuthorityName="CentOs-Server" DirectoryServiceName="AdProxy" AzRoleId="WebRole_IN_0" RequestIsMobileDevice="False" ComputerID="27878df3-3f3f-4b6e-97e9-ed4e7c50dc35" AuthoritySource="192.168.81.26" ClientIPAddress="216.112.107.101"

 

Cloud.Core.Server.Account.SessionTerminate: When an administrator detects something suspicious and you terminate the session this is the event that’s generated

Oct 10 11:19:39 engcen6 centrify-syslog-writer[141]: INFO Centrify|Cloud.Server|Cloud.Server.LocalAccount.SessionTerminate| AuthMethod="UserPassword" ComputerName="CentOs-Server" AccountName="root" FromIPAddress="216.112.107.101" ThreadType="RestCall" RequestUserAgent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36" InternalTrackingID="33518d47b8b84294896c30a93827ec9f" UserGuid="c4a3c58b-e44f-4eb0-91db-d6ed0cc79f62" AuthorityID="27878df3-3f3f-4b6e-97e9-ed4e7c50dc35" AuthorityFQDN="192.168.81.26" Level="Info" AuthoritySource="192.168.81.26" Tenant="AAA3182" DirectoryServiceNameLocalized="Active Directory (centrify.vms)" RequestHostName="216.112.107.101" RequestDeviceOS="Mac" InternalSessionId="241fb34e-cef1-4807-a72b-255293eb593f" whenoccurreddate="2017-10-10T16:17:08.793000Z" AzRoleName="WebRole" AzDeploymentId="17c473add8114981bf6e6d94a556c69e" WhenOccurred="/Date(1507652228793)/" WhenLogged="/Date(1507652228793)/" ID="772af005a4dee3d8.W00.874a.fcd2628f875acc14" AccountID="2ce889e8-b74b-4c1f-8283-1ca677a3d1f0" UserType="User" EventMessage="dwirth@centrify.vms terminated a session created by user "dwirth@centrify.vms" on system CentOs-Server(192.168.81.26) using local account "root"" EventType="Cloud.Server.LocalAccount.SessionTerminate" ComputerFQDN="192.168.81.26" SessionUser="dwirth@centrify.vms" AuthorityType="Local" DirectoryServiceUuid="1281dec1-2c1d-758e-a667-d4f7b2fd9972" NormalizedUser="dwirth@centrify.vms" AuthorityName="CentOs-Server" DirectoryServiceName="AdProxy" AzRoleId="WebRole_IN_0" RequestIsMobileDevice="False" ComputerID="27878df3-3f3f-4b6e-97e9-ed4e7c50dc35" ClientIPAddress="216.112.107.101"

 

Cloud.Saas.Application.AppLaunch: When a user launches an App these events are generated

Jun 30 10:53:24 engcen6 centrify-syslogger[6563]: INFO Centrify|Cloud.Saas|Cloud.Saas.Application.AppLaunch| WhenLogged="/Date(1498755631290)/" WhenOccurred="/Date(1498755631290)/" AzDeploymentId="4c24f29f574e40569980f4ada1122e23" ThreadType="RestCall" UserGuid="c2c7bcc6-9560-44e0-8dff-5be221cd37ee" ClientIPAddress="216.112.107.101" AzRoleName="WebRole" RequestUserAgent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36" InternalSessionId="9e841bca-d249-4d71-bd32-c8048a8b94cd" whenoccurreddate="2017-06-29T17:00:31.290000Z" TemplateName="Generic Bookmark" AuthMethod="UserPassword" EventMessage="User cloudadmin@s.veerapuneni.01 launched Bookmark from 216.112.107.101" Tenant="AAA3182" DirectoryServiceName="CDS" DirectoryServiceUuid="09B9A9B0-6CE8-465F-AB03-65766D33B05E" RequestHostName="216.112.107.101" RequestDeviceOS="Mac" FromIPAddress="216.112.107.101" InternalTrackingID="8bcb0d77815e4dcfa92d51356a49a97f" ApplicationName="Bookmark" AzRoleId="WebRole_IN_3" Level="Info" DirectoryServiceNameLocalized="Centrify Directory" NormalizedUser="cloudadmin@s.veerapuneni.01" ApplicationID="2d8a40a6-70ca-44e5-b661-cab7708f56d5" EventType="Cloud.Saas.Application.AppLaunch" ID="772b40efa6358d03.W03.0c71.841df0f4c1d5122f" ApplicationType="Web" RequestIsMobileDevice="False" 

 

Centrify Advanced Monitoring Events: These events are generated when you have Advanced monitoring enabled.

Oct 6 11:56:17 engcen6 adclient[1642]: INFO AUDIT_TRAIL|Centrify Suite|DirectAudit Advanced Monitoring|1.0|301|Monitored file modification attempt failed|5|user=dwirth(type:ad,dwirth@CENTRIFY.VMS) pid=18500 utc=1507308977433 centrifyEventID=57301 DASessID=N/A DAInst=DefaultInstallation status=FAILED syscall=unlink exitcode=-2 timestamp=1507308977.433 auid=dwirth uid=root procid=18500 ppid=18499 gid=root euid=root cwd=/ accType=2 cmd=/sbin/chkconfig argc=1 args=/etc/rc5.d/

 

Where to find these audit logs?

The Audit events are available locally either in Syslog / Windows Application Logs. For the Identity Services platform, we have an EA of a syslog writer that helps get the event logs from the cloud and forwards it to an existing Syslog Server.

1.png2.png 

 

Summary

  • Centrify Audit Logs capture events in either Syslog or Windows events logs. You can refer to the audit events document for the Identity Services here and for the Infrastructure Services here. These documents comprehensively cover all the Centrify Audit Events across our Centrify Identity Services Platform
  • Centrify Audit events are stored locally in standard locations in Windows and *Nix. This enables you to easily forward data to your SIEM or other tools of choice
  • Centrify Audit events uniquely identify the user across all Portal, Apps, Infrastructure – this is also captured in the events natively

Video

Showing results for 
Search instead for 
Do you mean 
Labels

Community Control Panel