Welcome to the Centrify Forums!
I must say that this is my favorite question of the week. We have made many investments in our product portfolio in that context.
To directly answer your question: you have documentation!!! We created a consolidated log capability called Centrify Audit Trail. All events are catalogued and updated in the guide:
- Audit Trail Manual : https://docs.centrify.com/en/css/2017.2/centrify-audit-events-guide.pdf
- Table: https://docs.centrify.com/en/css/suite2016/AuditTrailEvents.pdf
- Unified search: Google Search link to docs.centrify.com
For login events, refer to to Page 103.
As far as syslog facitity settings in OS X, I would check with Apple, Inc.
Since this post is likely to get a lot of fans, here's a longer answer that shows the resources available as of April 2018:
How can Centrify help enrich Security Operations (Log Aggregation, SIEM, Reports, Analytics or Machine learning-based Access Control)?
Centrify Event Basics
Events generated by Centrify are catalogued and sent to a facitlity called Audit Trail V2 (this applies to UNIIX, Linux, Windows or OS X). With the Cloud (or on-premises) based platform, all events go to the Event table.
Page 9 of the Audit Trail guide explains how things are logged in Centrify agents (syslog, event log)
For example:
This is a sample of an event that involved MFA on Windows.
Centrify Event Categories
We provide different categories of events based on the capability. For example, as you know we ship an optimized version of OpenSSH to work in complex AD environments (especially in smart card scenarios). The settings for that facility fall under 'Centrify sshd settings'.
For each capability category, you can configure if you prefer to use Direct Audit or a local file. The default is a local file.
Centrify Event Options
In general, most organizations aren't looking to scripting to do the work, but most aggregate them and send them to SIEM tools to consume. We provide native integrations with Splunk, Q-Radar and HP ArcSight.
What's the type of data you get?
Here's a few samples of the data you can get via the integrations (in this case Splunk):
Any spike on failed logins could indicate attemps at lateral movement, or a service account with an outdated password.
Unleashing the Power of the Platform
When you combine our cloud service with our agents, you get an extra layer of monitoring. For example, in this case you get a single pane of glass of user activity across web apps, mobile, UNIX, Linux and Macs - here are some dashboards:
Self-Service view:
Administrative view
Analytics Platform
If you want to take things the next level, with analytics you get so much more (I can't do it justice), so here's a few screen shots:
General Risk
Vault-Based Security Risk
System-based security risk
Conditional Access and Machine-learned Risk
When you have Analytics, a new dimension is added to Conditional Access called Risk. This allows you to define rules for risky login or privilege elevation activities.
Reports
We provide a capability that syncs RBAC data from Active Directory stored in Centrify zones and pushes it to a SQL Server database. This can be front-ended by any reporting tool, and we also provide a Sharepoint-based report center. The idea is to produce information required for attestation or governance.
This is a great report to generate if you need to answer these questions:
- What privileges does the "Apache Web Admin" group provides?
- What role(s) are associated with it?
- What is the scope of the role assignment?
- What is the definition of the role (commands) that it provides?
Consolidated resources:
- Centrify Audit Trail Guide: https://docs.centrify.com/en/css/2017.2/centrify-audit-events-guide.pdf
- Audit Trail Events: https://docs.centrify.com/en/css/suite2016/AuditTrailEvents.pdf
- Reports Guide: https://docs.centrify.com/en/css/suite2017.1/centrify-reporting-guide.pdf
- Community resources:
- I wrote a series about this here: https://community.centrify.com/t5/TechBlog/Security-Corner-Reviewing-your-Access-and-Privilege-Management/ba-p/26981
wrote: https://community.centrify.com/t5/TechBlog/How-Centrify-Extends-Audit-Trail-Events/ba-p/27498 wrote: https://community.centrify.com/t5/TechBlog/SIEM-Integration-Understanding-Centrify-s-Audit-Events/ba-p/29766 - Reports: https://community.centrify.com/t5/TechBlog/LABS-Setup-and-test-the-Centrify-Reports-feature-of-Server-Suite/ba-p/22388
Conclusion
You have options. We are here to help, should you need to, please feel free to engage our Customer Success team.