ARS 7.1 AD changes only as impersonate User

Hi Peter,

To my knowledge, this is only possible with a 3rd party solution which is "Active Roles aware", such as for example Quest Change Auditor. With that utility, you can deploy ARS integration scripts which record the actual user ("initiator") of a change rather than the ARS service account. I'm not aware of any native ways to see this is in regular event logs.

Bye,
Michiel

Hi Peter

The name of the actual original initiator of the transaction (along with the target object, before and after attribute values etc.) appears in the event log entries generated by the ActiveRoles administrative service on each of your ActiveRoles servers in ActiveRoles' own event log.

I recommend to my customers that they archive these logs for later forensic review.

'Hope this helps.

John

Hello and Thank you for the Feedback.

Is it also possible to push these Logs to Graylog for example?
Has anybody experiances with this?

Thanks & Kind Regards,

Peter

It's a regular Windows event log - all the standard fields plus a number of replacement strings in the Description fields. As long as your Graylog solution can ingest regular Windows event logs (EVT files), you should be fine. The only "trick" is parsing out the replacement strings (a windows event log construct) in the description of each event. This is where you will find the event details I mentioned above. If Graylog works with Windows logs, it may even offer you a tool that lets you analyze a sample windows event to help you isolate these strings so you can pull them into reports etc.