Welcome to the Centrify Express community
Although your question is related to one of your commercial products (DirectAudit) we are happy to provide guidance.
In addition, when posting, if we have an idea of the OSs involved and the versions of the Centrify software, this goes a long way to provide you a great answer.
Auditing of login and logoff events with DirectControl
Even without DirectAudit, you can still get information about these events. Centrify logs to the syslog facility and provides
The Centrify DirectControl client will log things appropriately. For example, I logged in to my CentOS demo system with my user lisa.
The messages log shows on successful login:
Jul 27 12:53:37 engcen6 adclient[1561]: INFO AUDIT_TRAIL|Centrify Suite|PAM|1.0|100|PAM authentication granted|5|user=lisa(type:ad,lisa.simpson@CENTRIFY.VMS) pid=18103 utc=1469642017856 centrifyEventID=24100 status=GRANTED service=sshd tty=ssh client=192.168.81.11
Note that the INFO AUDIT_TRAIL events will allow you to identify Centrify events. In this case ID 24100
In the secure log, you'll see this:
pam_unix(sshd:session): session opened for user lisa by (uid=0)
Note also that similar events are logged when the user fails to log in:
Jul 27 12:53:09 engcen6 adclient[1561]: WARN <fd:25 PAMVerifyPassword > audit User 'lisa' not authenticated: bad password Jul 27 12:53:09 engcen6 adclient[1561]: INFO AUDIT_TRAIL|Centrify Suite|PAM|1.0|101|PAM authentication denied|5|user=lisa(type:ad,lisa.simpson@CENTRIFY.VMS) pi d=18102 utc=1469641989441 centrifyEventID=24101 status=DENIED service=sshd tty=ssh client=192.168.81.11 reason=Authentication failure
In this case, the user was unable to log in due to a failed password.
When logging off, same sequence
Jul 27 13:04:32 engcen6 adclient[1561]: INFO AUDIT_TRAIL|Centrify Suite|Centrify sshd|1.0|102|SSHD connection close successfully|5|user=lisa(type:ad,lisa.simpson@CENTRIFY.VMS) pid=18100 utc=1469642672856 centrifyEventID=27102 status=SUCCESS service=ssh-connection tty=(no tty) authMechanism=keyboard-interactive client=192.168.81.11 reason=CONNECTION_CLOSE(connection is closed.) Jul 27 13:04:32 engcen6 sshd[18100]: pam_unix(sshd:session): session closed for user lisa
On privilege Elevation, we provide the same level of granularity.
For example, Diana (dwirth) elevated to root for me to capture these logs:
Jul 27 12:49:27 engcen6 adclient[1561]: INFO AUDIT_TRAIL|Centrify Suite|dzdo|1.0|0|dzdo granted|5|user=dwirth(type:ad,dwirth@CENTRIFY.VMS) pid=18044 utc=1469641767409 centrifyEventID=30000 status=GRANTED service=dzdo command=/bin/su runas=root role=UNIX Sysadmin/Global env=(none)
Jul 27 12:49:34 engcen6 dzdo: dwirth : TTY=pts/1 ; PWD=/home/dwirth ; USER=root ; COMMAND=/bin/su -
Auditing of login and logoff events with DirectAudit
Now, DirectAudit focuses on session capture and replay, however if you have the DirectAudit Console, you'll see events like this:
Note that you can see both session initiation and close as well as privilege elevation events. If I had done something with my Windows systems, you'd be able to see those too.
Session Transcription
With DA, you can also see the transcription of what happens on a session
Session Replay
The truncated screenshot above shows the Centrify player, in which you can play, FF, REwind your UNIX or Windows sessions.
As you can see, we not only can meet, but exceed your requirements. Some resources
- We expanded on this on this post: http://community.centrify.com/t5/Community-Tech-Blog/Security-Corner-The-Sarbanes-Oxley-Act-and-Centrify-Server-Suite/ba-p/21881
covered SIEM integrations in this blog: Integrating Centrify Server Suite with SIEM Tools — Part 1- About DirectAuthorize: http://community.centrify.com/t5/Centrify-Server-Suite/FAQ-What-is-DirectAuthorize-dzdo-dzwin/td-p/21193
May I now ask?
- Are you in the middle of an evaluation or have you purchased the software?
Either way, you should have a tech lead providing you guidance all the way, or if you purchased the solution, you should have training allocated to close the cognitive gap.
- Do you need access to the documentation? We would be happyt o point you in the right direction.
Let us know and we will guide you in the right direction.