Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Centrify Server Suite

 

The JSA DSM for Centrify Server Suite collects events from Centrify Server Suite standard logs.

The following table describes the specifications for the Centrify Server Suite DSM:

Table 1: Centrify Server Suite DSM Specifications

Specification

Value

Manufacturer

Centrify

DSM name

Centrify Server Suite

RPM file name

DSM-CentrifyServerSuite-JSA_version-build_number.noarch.rpm

Supported versions

Centrify Server Suite 2017

Protocol

Syslog and WinCollect

Event format

name-value pair (NVP)

Recorded event types

Audit Events

Automatically discovered?

Yes

Includes identity?

No

Includes custom properties?

No

More information

Centrify website (https://www.centrify.com/support/documentation/server-suite/)

To integrate Centrify Server Suite with JSA, complete the following steps:

  1. If automatic updates are not enabled, download and install the most recent version of the following RPMs on your JSA Event Collector:

    • DSMCommon RPM

    • Centrify Server Suite DSM RPM

    Note

    If you use the WinCollect protocol configuration option, install the latest WinCollect agent bundle (.sfs file) on your JSA Event Collector.

  2. Configure your UNIX, Linux, or Windows device where the Centrify Server Suite standard logs are available to send syslog or Windows events to JSA.

  3. If JSA does not automatically detect the log source, add a Centrify Server Suite log source on the JSA console.

    The following table describes the parameters that require specific values to collect event from Centrify Server Suite:

    Table 2: Centrify Server Suite Log Source Parameters

    Parameter

    Value

    Log Source type

    Centrify Server Suite

    Protocol Configuration

    Syslog

    Log Source Identifier

    The IP address or host name of the UNIX, Linux, or Windows device that sends Centrify Server Suite events to JSA.

  4. To verify that JSA is configured correctly, review the following table to see an example of a normalized event message.

    The following table shows a sample event message from Centrify Server Suite:

    Table 3: Centrify Server Suite Sample Message

    Event name

    Low level category

    Sample log message

    Remote login success

    Remote Access Login Succeeded

    <13>May 09 20:58:48 127.1.1.1 AgentDevice=WindowsLog AgentLogFile=Application Plugin Version=7.2.6.39 Source=Centrify AuditTrail V2 Computer=Centrify WindowsAgent.Centrify.lab OriginatingComputer=127.1.1.1 User=Administrator Domain =CENTRIFY EventID=6003 EventID Code=6003 EventType=4 Event Category=4 RecordNumber=1565 TimeGenerated=1494374321 TimeWritten=1494374321 Level=Informational Keywords= ClassicTask=None Opcode=Info Message=Product: Centrify Suite Category: Direct Authorize - Windows Event name: Remote login success Message: User successfully logged on remotely using role 'Windows Login/CentrifyTest'. May 09 16:58:41 centrifywindowsagent. centrify.lab dzagent[2008]: INFO AUDIT_TRAIL|Centrify Suite |DirectAuthorize - Windows| 1.0|3|Remote login success|5 |user=username userSid=domain \username sessionId=6 centrify EventID=6003 DAInst=N/A DASess ID=N/A role=Windows Login/ CentrifyTest desktopguid=7678b3 5e-00d0-4ddf-88f5-6626b8b1ec4b

    The user logged in to the system successfully

    User Login Success

    <38>May 4 23:45:19 hostname adclient[1472]: INFO AUDIT _TRAIL|Centrify Suite|Centrify Commands|1.0|200|The user login to the system successfully|5|user =root pid=2986 utc=1493952319951 centrifyEventID=18200 DASessID= c6b7551c-31ea-8743-b870- cdef47393d07 DAInst=Default Installation status=SUCCESS service =sshd tty=/dev/pts/2