Integrating Centrify Server Suite with SIEM Tools — Part 1

Are you an existing Centrify Server Suite (CSS) customer who wants to put Centrify events into your SIEM or BI tool? Do you want to learn about the Centrify events? If so, read on!

Centrify Server Suite (CSS) is an agent based solution for unified identity management across Windows, Linux and UNIX systems. The CSS agent can track over 300 different types of events in real-time on 450+ flavors of Windows, Linux and UNIX machines. A few sample categories of the CSS events for example are:

  • User activity events on Centrify tools
  • Log in events on Windows, Linux & UNIX
  • Privilege escalations events on Windows
  • Privilege commands execution events on Linux and UNIX machines

This post will show and tell some of the events, and how you can leverage them.

The event format we use is similar to CEF format, for those of you that are unfamiliar with CEF — it’s an open log format that helps with interoperability. Below is a snippet of a “log on” event that we produce on Windows as one remotely logs into the Windows server:

1

Also, find below the event that’s captured on Unix machine when one runs a privileged command to check on the status of a service (click to enlarge):

Screen Shot 2016-03-21 at 2.47.02 PM

Furthermore, the below video shows how Centrify tracks the Windows log on event and privilege activity, and then goes on to demonstrate the event logging on UNIX machines for logon and privilege activity.

If you’d want to learn more about our events, I would urge you to take a look at the detailed events documented here (search for event list on the page).

To summarize, Centrify Server Suite customers can capture all logon and privilege activity on any Windows, Linux and UNIX machines  — the events are stored in CEF format in Syslog on Linux / UNIX machines and are stored in event logs on Windows machines.

In my next post I’ll demonstrate how one can leverage these events in your Splunk Deployment. Meanwhile, you can try CSS today with a free trial of Centrify Server Suite. If you are already a customer and want to learn more, simply contact your Centrify account team.