Change Auditor for VMware vCenter

VMware vCenter auditing tool tracks, reports and alerts on critical changes

Quickly track and confirm any VMware vCenter changes or day-to-day system modifications.

Change Auditor for VMware vCenter helps you ensure the security, compliance and control of event activity and the security of VMware® vCenter Server™. It manages, audits, reports and provides alerts on all changes to the platform in real time, making VMware monitoring easy. Now administrators can analyze events and changes without complexity and fear of unknown security concerns, and be confident that compliance demands satisfy the scrutiny of any auditor.

Change Auditor for VMware vCenter is freeware and included with other Change Auditor modules, including all trial versions.

Features

  • At-a-glance display - Tracks user and administrator activity with detailed information including who, what, when, where, which workstation and why for change events, plus original and current values for all changes.
  • Real-time alerts on the move - Sends critical change and pattern alerts to email and mobile devices to prompt immediate action, enabling you to respond faster to threats even while you're not on site.
  • Event timeline - Enables the viewing, highlighting and filtering of change events and the relation of other events over the course of time in chronological order across your Windows environment for better understanding and forensic analysis of those events and trends.
  • Related searches - Provides instant, one-click access to all information on the change you're viewing and all related events, such as what other changes came from specific users and workstations, eliminating additional guesswork and unknown security concerns.
  • Role-based access - Configures access so auditors can run searches and reports without making any configuration changes to the application, and without requiring the assistance and time of the administrator.
  • Centralized auditing - Provides the ability to manage, monitor and audit all file server changes from a single location, which streamlines management of multiple servers and locations to a single, easy-to-use console.
  • Server configuration change auditing - Tracks changes to vCenter configuration and security, which protects against system performance issues and unwanted security gaps.
  • Event filter - Narrows searches by event type, server, users and more, enabling administrators to quickly pinpoint the source of problems by eliminating the “noise” from safe, routine events.
  • Rapid reporting - Provides preconfigured and customizable reports that satisfy auditor requests so that administrators can get back to their regular jobs quickly.
  • Web-based access with dashboard reporting - Searches from anywhere using a web browser and creates targeted dashboard reports to provide upper management and auditors with access to the information they need without having to understand architecture or administration.

Specifications

Change Auditor 6.5 System requirements

Change Auditor is made up of the following components, all which have specific system requirements

  • Change Auditor coordinator(s)
  • Change Auditor client
  • Change Auditor agents
  • Change Auditor workstation agents
  • Microsoft SQL Server database
  • Change Auditor web client

Change Auditor coordinator (Server-side component)

The Change Auditor coordinator is responsible for fulfilling client and agent requests.

Coordinator hardware:

  • Minimum: Quad core 2.0 GHz or better; 8 GB RAM or better
  • Recommended:Quad core 3.0 GHz or better; 32 GB RAM or better
  • Member server running on the following minimum platforms:
    • Windows Server® 2003 SP2
    • Windows Server 2003 R2
    • Windows Server 2008
    • Windows Server 2008 R2
    • Windows Server 2012 (Essentials, Standard and Datacenter)
    • Windows Server 2012 R2 (Essentials, Standard and Datacenter)

Microsoft’s Windows Data Access Components (MDAC) must be enabled. (MDAC is part of the operating system and enabled by default.)

NOTE: Microsoft’s Windows Small Business Server 2003, 2008 and 2011 are NOT supported.

NOTE: Microsoft’s Windows Server 2012 Foundation edition is NOT supported.

 

Coordinator software and configuration:

  • Install the Change Auditor coordinator on a dedicated member server.
  • The Change Auditor database should be configured on a separate, dedicated SQL Server instance.
    IMPORTANT: Do NOT pre-allocate a fixed size for the Change Auditor database.
  • Supported SQL Server versions:
    • Microsoft SQL Server 2008 SP1, SP2 or SP3
    • Microsoft SQL Server 2008 R2, SP1 or SP2
    • Microsoft SQL Server 2012 or SP1
    NOTE: Change Auditor does not support SQL high availability technology other than clusters.
  • The coordinator must have LDAP and GC connectivity to all domain controllers in the local domain and the forest root domain.
  • x86 or x64 versions of Microsoft’s .NET framework 4.0 (or higher)
  • x86 or x64 versions of Microsoft XML Parser (MSXML) 6.0
  • x86 or x64 versions of Microsoft SQLXML 4.0

 

Coordinator footprint:

  • Estimated hard disk space used: 200 MB
  • Estimated physical memory (RAM) used for an agent-less coordinator: 100 MB
    NOTE: Coordinator RAM usage is highly dependent on the environment, number of agent connections, and event volume.
  • Estimated database size will vary depending on the number of agents deployed and audited events captured.
  • IMPORTANT: Minimum permissions

User account performing the coordinator installation:

The user account that will be performing the coordinator installation needs to have the appropriate permissions to perform the following tasks on the target server:

  • Windows permissions to create and modify registry values.
  • Windows administrative permissions to install software and stop/start services.

*The user account performing the installation, must be a member of the Domain Adminsgroup in the domain where the coordinator is being installed.

Service account running the coordinator service (LocalSystem by default):

  • Active Directory permissions to create and modify SCP (Service Connection Point) objects under the computer object that will be running a Change Auditor coordinator.
  • Local Administrator permissions on the coordinator server.

If you are running the coordinator under a service account (instead of LocalSystem), define a Manualconnection profile where you can specify the IP address of the server hosting the Change Auditor coordinator. You can specify and select connection profiles whenever you launch the Change Auditor client. See the Dell™ Change Auditor User Guide or online help for more information on defining and selecting a connection profile.

SQL Server database access account specified during installation:

An account must be created to be used by the coordinator service on an ongoing basis for access to the SQL Server database. This account must have a SQL Login and be assigned the following SQL permissions:

  • Must be assigned the db_owner role on the Change Auditor database
  • Must be assigned the SQL Server role of dbcreator

Change Auditor client (Client-side component)

The Change Auditor client connects to a Change Auditor coordinator and queries the audit event database for the desired results.

Client hardware:

  • Minimum: Dual core 2.0 GHz or better; 4 GB RAM or better
  • Recommended: Quad core 3.0 GHz or better; 8 GB RAM or better
  • A machine running on the following minimum platforms:
    • Windows Server® 2003
    • Windows Server 2003 R2
    • Windows Server 2008
    • Windows Server 2008 R2
    • Windows Server 2012 (Essentials, Standard and Datacenter)
    • Windows Server 2012 R2 (Essentials, Standard and Datacenter)
    • Windows 7 (Pro, Enterprise and Ultimate)
    • Windows 8 and 8.1 (Pro and Enterprise)

Microsoft’s Windows Data Access Components (MDAC) must be enabled. (MDAC is part of the operating system and enabled by default.)

NOTE: Microsoft’s Windows Small Business Server 2003, 2008 and 2011 are NOT supported.

NOTE: Microsoft’s Windows Server 2012 Foundation edition is NOT supported.

  • Screen resolution of at least 1024 x 768 with at least 256 colors

 

Client software and configuration:

  • x86 or x64 versions of Microsoft’s .NET framework 4.0 (or higher)
  • x86 or x64 versions of Microsoft XML Parser (MSXML) 6.0
  • x86 or x64 versions of Microsoft SQLXML 4.0

 

Client footprint:

  • Estimated hard disk space used: 140 MB
  • Estimated physical memory (RAM) used: 150 - 500 MB

NOTE: Client RAM usage is dependent on the number of tabs you have open.

NOTE: Queries that return a lot of data can cause the client to use as much memory as required to store the results in RAM.

Change Auditor agent (Server-side component)

A Change Auditor agent can be deployed to domain controllers (DCs) and member servers to monitor the configuration changes made on these servers. The agents will then report these audit events to a Change Auditor coordinator which will insert the event details into the Change Auditor database.

 

Agent hardware:

  • Minimum: Dual core 2.0 GHz or better; 4 GB RAM or better
  • Recommended: Quad core 3.0 GHz or better; 8 GB RAM or better
  • Server running on the following minimum platforms:
    • Windows Server® 2003 SP1
    • Windows Server 2003 R2
    • Windows Server 2008

NOTE: Windows Server 2008 Core is no longer supported because it does not support the required .NET 4.0 framework for Change Auditor 6.5 agents.

    • Windows Server 2008 R2
    • Windows Server 2008 R2 Core SP1
    • Windows Server 2012 (Essentials, Standard and Datacenter)
    • Windows Server 2012 Core (Essentials, Standard and Datacenter)
    • Windows Server 2012 R2 (Essentials, Standard and Datacenter)
    • Windows Server 2012 R2 Core (Essentials, Standard and Datacenter)

Microsoft’s Windows Data Access Components (MDAC) must be enabled. (MDAC is part of the operating system and enabled by default.)

NOTE: Microsoft’s Windows Small Business Server 2003, 2008 and 2011 are NOT supported.

NOTE: Microsoft’s Windows Server 2012 Foundation edition is NOT supported.

NOTE: Change Auditor agent requires File and Printer Sharing on Windows Server 2008. By default, File and Printer sharing is not enabled on Windows Server 2008 installations. In order to remotely deploy agents to Windows Server 2008, enable the File and Printer sharing (SMB-in) Inbound rule in the Windows Firewall (Port 445) on the target host machine.

The FileandPrinterSharingfor Microsoft Networks service on the network adapter must also be enabled for remote deployment.

NOTE: Auditing of some Exchange events require the latest Exchange service pack to be installed.
Please refer to the Dell™ Change Auditor for Exchange Event Reference Guide for the minimum service packs required for Exchange events.

 

Agent software and configuration:

  • x86 or x64 versions of Microsoft’s .NET framework 4.0 (or higher)
  • x86 or x64 versions of Microsoft XML Parser (MSXML) 6.0
  • The agent must have LDAP and GC connectivity to all domain controllers in the local domain and the forest root domain.
  • The Change Auditor agent service depends on the following Windows services to be running:
    • DNS client
    • Remote Procedure Call (RPC)
    • Windows event log

  NOTE: Ensure communication over RPC between coordinators and agents.

 

Agent footprint:

  • Estimated hard disk space used: 120 MB + local database size + agent logs

NOTE: Change Auditor agent log retention and content is configurable. That is, you can define how many files to retain and the level of logging.

  • Estimated physical memory (RAM) used: 60 - 100 MB

NOTE: Agent RAM usage is dependent on the auditing modules you have licensed.

 

Agent installation is NOT compatible with the following applications:

  • Pre-5.6 versions of Change Auditor
  • SecurityManager
  • Dell™ InTrust™ plug-ins: ITAD, ITADAM, ITFA and ITEX
  • ScriptLogic Active Administrator
  • DirectoryLockdown
  • EMC EmailXtender®

IMPORTANT: Minimum permissions Permissions required for deploying agents:

The Agent Deployment wizard runs under the security context of the currently logged on user account. Therefore, you must have administrative authority to install software on every target machine. This means you must be a Domain Admin in every domain that contains servers that you are targeting for installation.

If you are targeting domain controllers only, membership in the Enterprise Admins group will grant you authority to all domain controllers in the forest.
In addition, all users responsible for deploying Change Auditor agents must also be a member of the ChangeAuditor Administrators group in the specified Change Auditor installation. If you are not a member of this security group for this installation, you will get an access denied error.

IMPORTANT: Minimum permissions

Change Auditor agents must run as localsystem.

 

Exchange Servers auditing requirements

Change Auditor license requirement:

  • Change Auditor for Exchange

Minimum service pack requirements:

  • Windows Server 2003 and 2003 R2:
    • Microsoft Exchange Server 2007 x64 SP1
  • Windows Server 2008 and 2008 R2:
    • Microsoft Exchange Server 2007 x64 SP1
    • Microsoft Exchange Server 2010 RTM
  • Windows Server 2008 R2 SP1:
    • Microsoft Exchange Server 2007 x64 SP1
    • Microsoft Exchange Server 2010 RTM
    • Microsoft Exchange Server 2013 CU1
  • Windows Server 2012:
    • Microsoft Exchange Server 2010 SP3
    • Microsoft Exchange Server 2013 RTM
  • Windows Server 2012 R2:
    • Microsoft Exchange Server 2013 SP1

    NOTE: Mailbox auditing and protection is NOT supported for Outlook® client connections running Exchange Server 2013 SP1 (or higher

 

SQL Server auditing requirements

Change Auditor license requirement:

  • Change Auditor for SQL Server
Supported SQL server versions:
  • Microsoft SQL Server 2005
  • Microsoft SQL Server 2008 SP1, SP2 or SP3
  • Microsoft SQL Server 2008 R2, SP1 or SP2
  • Microsoft SQL Server 2012 or SP1

Authentication Services auditing requirements

Change Auditor license requirement:
  • Change Auditor for Authentication Services
Authentication Services versions:
  • Dell One Identity Authentication Services 4.0 (or higher)

Defender auditing requirements

Change Auditor license requirement:
  • Change Auditor for Defender
Defender versions:
  • Dell One Identity Defender 5.7 (or higher)

EMC auditing requirements

Change Auditor license requirement:
  • Change Auditor for EMC
EMC requirements:
  • EMC Celerra® Event Enabler (CEE) Framework 4.6.7 or 6.x
  • EMC VNX® Event Enabler (VEE) Framework 4.8.5 (through 5.1)
    NOTE: VNXe® is NOT supported. VNXe does not support CEPA at this time and therefore Change Auditor for EMC will NOT run successfully in VNXe environments.
  • EMC Isilon®:
    • CEE 6.3.1 (or higher)
    • Change Auditor for EMC 6.5 (or higher)
    • Requires manual configuration to audit Isilon file servers

See the Dell™ Change Auditor for EMC®User Guide for information on installing, configuring and using Change Auditor for EMC.

NetApp auditing requirements

Change Auditor license requirement:
  • Change Auditor for NetApp
NetApp requirements:
  • NetApp Filer with Data ONTAP® 7.2 (or higher)

NOTE: Clustering FPolicy was added in NetApp 8.2; but has not yet been implemented in Change Auditor.

See the Dell™ Change Auditor for NetApp® User Guide for more information on installing, configuring and using Change Auditor for NetApp.

SharePoint auditing requirements

Change Auditor license requirement:

  • Change Auditor for SharePoint

SharePoint auditing requirements:

  • SharePoint Server 2010 or 2013
  • SharePoint Foundation 2010 or 2013

See the Dell™ Change Auditor for SharePoint®User Guide for detailed information on installing, configuring and using Change Auditor for SharePoint.

VMware® auditing requirements

Change Auditor license requirement:

  • Change Auditor (any license)

VMware auditing requirements:

  • ESX/ESXi 5.0 or 5.1
  • vCenter™ 5.0 or 5.1

Exchange Online/Office 365™ auditing requirements

Change Auditor license requirement:

  • Change Auditor for Exchange 6.5 (or higher)

Office 365 platforms supported and required permissions

  • Office 365 Small Business
    • Minimum permissions: The user account configured for Change Auditor auditing must be assigned the Administrator role for Office 365 Small Business. The account must also be licensed for Exchange Online (other Office 365 licenses are not required).
  • Office 365 Small Business Premium
    • Minimum permissions: The user account configured for Change Auditor auditing must be assigned the Administrator role for Office 365 Small Business Premium. The account must also be licensed for Exchange Online (other Office 365 licenses are not required).
  • Office 365 Midsize Business
    • Minimum permissions: The user account configured for Change Auditor auditing must be assigned the Global Administrator role for Office 365 Midsize Business. The account must also be licensed for Exchange Online (other Office 365 licenses are not required).
  • Office 365 Enterprise
    • Minimum permissions: The user account configured for Change Auditor auditing must be assigned the Global Administrator role for Office 365 Enterprise. The account must also be licensed for Exchange Online (other Office 365 licenses are not required).

See the Dell™ Change Auditor for Exchange User Guide for more information on Exchange Online auditing.

SonicWALL auditing requirements

Change Auditor license requirement:

  • Change Auditor for SonicWALL

SonicWALL requirements:

  • SonicWALL firewall device running SonicOS firmware version 6.1.1.7 (or higher)
  • Firewall requirements:
    • At least one SonicWALL firewall that supports AppFlow with the ‘IPFIX with extensions’ external flow reporting format.
    • The SonicWALL firewall must support the SonicOS DPI-SSL feature for cloud or SSL-based web site activity auditing.
    • The firewall must be configured to send AppFlow data to the Change Auditor agent.

See the Dell™ Change Auditor for SonicWALL User Guide for more information on configuring and using Change Auditor for SonicWALL.

Logon Activity auditing requirements

Change Auditor license requirement:

  • Change Auditor for Logon Activity User for auditing server agents

NOTE: See Change Auditor agent (Server-side component) for server agent system requirements

  • Change Auditor for Logon Activity Workstation for auditing workstation agents

NOTE: See Change Auditor workstation agent (Optional) for workstation agent system requirements.

Change Auditor workstation agent (Optional)

Change Auditor workstation agents can be deployed to capture authentication activity and logon session events from monitored workstations when the Dell™ Change Auditor for Logon Activity Workstation license is applied.

NOTE: The recommended installation for domain workstations is from the Deployment tab of the Change Auditor Windows client. However, for non-domain workstations you must manually install the Change Auditor workstation agent. See Workstation Agent Deployment for recommendations and instructions on manually deploying workstation agents.

Workstation agent hardware:

  • Minimum: 1 GHz CPU; 1 GB RAM (x86)/2 GB RAM (x64)
  • Recommended: Dual core 2.0 GHz or better; 4 GB RAM or better
  • A machine running on the following minimum platforms:
    • Windows 7 (Pro, Enterprise and Ultimate)
    • Windows 8 and 8.1 (Pro and Enterprise)
  • Microsoft’s Windows Data Access Components (MDAC) must be enabled. (MDAC is part of the operating system and enabled by default.

Workstation agent software and configuration:

  • x86 or x64 versions of Microsoft’s .NET framework 4.0 (or higher)
  • x86 or x64 versions of Microsoft XML Parser (MSXML) 6.0
  • The agent must have LDAP and GC connectivity to all domain controllers in the local domain and the forest root domain.
  • The Change Auditor workstation agent service depends on the following Windows services to be running:
    • DNS client
    • Remote Procedure Call (RPC)
    • Windows event log

      NOTE: Ensure communications over RPC between coordinators and agents.

    IMPORTANT: For workstation log management (such as Get Logs or View Agent Log), the following must be enabled on the workstation:
      • Windows Management Instrumentation (WMI) must be enabled in the firewall rule set (usually domain) on the workstation
      • Network Discovery and File Sharing must be enabled
      • Remote Registry Service must be set to ‘Start Automatically’. By default, this service is stopped and set to ‘Manual’ for Windows 7 and Windows 8/8.1.
  • In order to capture Authentication Activity events, you must first enable (that is, set to Success,Failure) the ‘Audit Logon events’ audit policy for all servers and workstations.
    • Domain - Group Policy:
      • Default Domain Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit logon events
    • Workgroup - Local Group Policy:
      • Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit logon events

See the Dell™ Change Auditor for Logon Activity User Guide for more information on using Change Auditor for Logon Activity.

Change Auditor web client (Optional)

The Change Auditor web client is an optional component that is installed on the Internet Information Services (IIS) web server to provide users access to Change Auditor data through a standard or mobile web browser.

  • Application server running on the following minimum platforms:
    • Windows Server 2008 (with IIS 7 or above)
    • Windows Server 2012 (with IIS 8 or above)
  • Minimum standard browser versions supported:
    • Chrome™ 17 (or higher)
    • Firefox® 10 (or higher)
    • Internet Explorer® 9 (or higher) NOT running in Compatibility View mode
    • Safari® 5.x for Mac OS (Windows Safari is not supported)

See the Dell™ Change Auditor Web Client User Guide for more information on installing, configuring and using the web client.

Resources

Change Auditor for Windows File Servers Videos