Netwrix Auditor Administrator Guide

Download as pdf or txt
Download as pdf or txt
You are on page 1of 211

Netwrix Auditor

Administration Guide
Version: 9.95
4/27/2020
Legal Notice

The information in this publication is furnished for information use only, and does not constitute a
commitment from Netwrix Corporation of any features or functions, as this publication may describe
features or functionality not applicable to the product release or version you are using. Netwrix makes no
representations or warranties about the Software beyond what is provided in the License Agreement.
Netwrix Corporation assumes no responsibility or liability for the accuracy of the information presented,
which is subject to change without notice. If you believe there is an error in this publication, please report
it to us in writing.

Netwrix is a registered trademark of Netwrix Corporation. The Netwrix logo and all other Netwrix product
or service names and slogans are registered trademarks or trademarks of Netwrix Corporation. Microsoft,
Active Directory, Exchange, Exchange Online, Office 365, SharePoint, SQL Server, Windows, and Windows
Server are either registered trademarks or trademarks of Microsoft Corporation in the United States
and/or other countries. All other trademarks and registered trademarks are property of their respective
owners.

Disclaimers

This document may contain information regarding the use and installation of non-Netwrix products.
Please note that this information is provided as a courtesy to assist you. While Netwrix tries to ensure
that this information accurately reflects the information provided by the supplier, please refer to the
materials provided with any non-Netwrix product and contact the supplier for confirmation. Netwrix
Corporation assumes no responsibility or liability for incorrect or incomplete information provided about
non-Netwrix products.

© 2020 Netwrix Corporation.

All rights reserved.

2/211
Table of Contents
1. Introduction 8

1.1. Netwrix Auditor Features and Benefits 8

1.2. How It Works 11

1.2.1. Workflow Stages 12

2. Launch Netwrix Auditor 13

3. Role-Based Access and Delegation 14

3.1. Compare Roles 15

3.2. Assign Roles 19

3.2.1. Understand Scopes and Assign Roles Correctly 19

3.2.2. Review Default Role Assignments 20

3.3. Provide Access to a Limited Set of Data 22

4. Monitoring Plans 24

4.1. Create a New Plan 25

4.1.1. Settings for Data Collection 25

4.1.2. Default SQL Server Instance 28

4.1.3. Database Settings 29

4.1.4. SMTP Server Settings 31

4.1.5. Email Notification Recipients 31

4.1.6. Monitoring Plan Summary 32

4.2. Manage Data Sources 32

4.2.1. Active Directory 34

4.2.2. Azure AD 37

4.2.3. Active Directory Federation Server (AD FS) 37

4.2.4. Exchange 38

4.2.5. Exchange Online 40

4.2.6. Group Policy 41

4.2.7. File Servers 42

4.2.8. Logon Activity 46

3/211
4.2.9. Network Devices 47

4.2.10. Oracle Database 47

4.2.11. SharePoint 48

4.2.12. SharePoint Online 49

4.2.13. SQL Server 50

4.2.14. User Activity 52

4.2.15. VMware 54

4.2.16. Windows Server 55

4.2.17. Netwrix API 58

4.3. Add Items for Monitoring 58

4.3.1. AD Container 60

4.3.2. Computer 62

4.3.2.1. Configure Scope 63

4.3.3. Domain 64

4.3.4. Federation Server 64

4.3.5. EMC Isilon 65

4.3.5.1. Configure the Scope 66

4.3.6. EMC VNX/VNXe/Unity 67

4.3.6.1. Configure the Scope 68

4.3.7. IP Range 70

4.3.8. NetApp 71

4.3.8.1. Configure Scope 73

4.3.9. Nutanix SMB Shares 75

4.3.9.1. Configure Scope 76

4.3.10. Office 365 Tenant 77

4.3.11. Oracle Database Instance 78

4.3.12. SharePoint Farm 78

4.3.13. SQL Server Instance 81

4.3.14. VMware ESX/ESXi/vCenter 82

4.3.15. Windows File Share 83

4.3.15.1. Configure Scope 84

4/211
4.3.15.2. Peculiarities and Considerations 85

4.3.15.3. Working with Mount Points 85

4.3.16. Integration 86

4.4. Fine-Tune Your Plan and Edit Settings 86

4.5. Launch Data Collection Manually and Update Status 88

5. Activity Summary Email 89

6. Intelligence 91

7. Settings 93

7.1. General 93

7.2. Audit Database 94

7.3. Long-Term Archive 96

7.4. Investigations 100

7.5. Notifications 102

7.6. Integrations 104

7.7. Licenses 104

7.7.1. Notes for Managed Service Providers 105

7.8. About Netwrix Auditor 107

8. Monitor Netwrix Auditor Operations and Health 108

8.1. Netwrix Auditor System Health Log 108

8.1.1. Netwrix Auditor Health Summary Email 109

8.1.2. Review Health Status Dashboard 110

8.1.2.1. Activity Records Statistics 112

8.1.2.2. Monitoring Overview 112

8.1.2.3. Health Log 115

8.1.2.4. Database Statistics 115

8.1.2.5. Long-Term Archive Capacity 117

8.1.2.6. Netwrix Auditor Working Folder 118

8.1.3. Netwrix Auditor Self-Audit 118

8.1.4. Inspect Events in Health Log 119

9. Address Specific Tasks with Netwrix Auditor Tools 122

9.1. Audit Configuration Assistant 123

5/211
9.1.1. Prerequisites 123

9.1.2. Usage 123

9.1.3. Launch Audit Configuration Assistant 124

9.1.3.1. Prerequisites 124

9.1.3.2. Procedure 124

9.1.4. Start Assessment 126

9.1.5. View Results 127

9.1.6. Complete the process 129

9.2. Manage Users with Netwrix Auditor Inactive User Tracker 129

9.3. Alert on Passwords with Netwrix Auditor Password Expiration Notifier 133

9.4. Monitor Events with Netwrix Auditor Event Log Manager 138

9.4.1. Create Monitoring Plans for Event Logs 139

9.4.2. Configure Audit Archiving Filters for Event Log 142

9.4.3. Create Monitoring Plan for Netwrix Auditor System Health Log 145

9.4.4. Create Alerts for Event Log 145

9.4.5. Create Alerts on Netwrix Auditor Server Health Status 148

9.4.6. Create Alerts for Non-Owner Mailbox Access Events 150

9.4.7. Review Past Event Log Entries 156

9.4.8. Import Audit Data with the Database Importer 156

9.5. Roll Back Changes with Netwrix Auditor Object Restore for Active Directory 156

9.5.1. Modify Schema Container Settings 156

9.5.2. Roll Back Unwanted Changes 158

10. Additional Configuration 160

10.1. Exclude Objects from Monitoring Scope 160

10.1.1. Exclude Data from Active Directory Monitoring Scope 161

10.1.2. Exclude Data from Azure AD Monitoring Scope 164

10.1.3. Exclude Data from Exchange Monitoring Scope 166

10.1.4. Exclude Data from Exchange Online Monitoring Scope 171

10.1.5. Exclude Data from File Servers Monitoring Scope 172

10.1.6. Exclude Oracle Database Users from Monitoring Scope 174

10.1.7. Exclude Data from SharePoint Monitoring Scope 175

6/211
10.1.8. Exclude Data from SharePoint Online Monitoring Scope 177

10.1.9. Exclude Data from SQL Server Monitoring Scope 179

10.1.10. Exclude Data from VMware Monitoring Scope 183

10.1.11. Exclude Data from Windows Server Monitoring Scope 185

10.1.12. Exclude Data from Event Log Monitoring Scope 186

10.1.13. Exclude Data from Group Policy Monitoring Scope 187

10.1.14. Exclude Data from Inactive Users Monitoring Scope 188

10.1.15. Exclude Data from Logon Activity Monitoring Scope 188

10.1.16. Exclude Data from Password Expiration Monitoring Scope 190

10.2. Fine-tune Netwrix Auditor with Registry Keys 191

10.2.1. Registry Keys for Monitoring Active Directory 191

10.2.2. Registry Keys for Monitoring Exchange 193

10.2.3. Registry Keys for Monitoring File Servers 195

10.2.4. Registry Keys for Monitoring Windows Server 196

10.2.5. Registry Keys for Monitoring Event Log 196

10.2.6. Registry Keys for Monitoring Group Policy 197

10.2.7. Registry Keys for Monitoring Password Expiration 200

10.2.8. Registry Keys for Monitoring Inactive Users 200

10.2.9. Registry Keys for Monitoring Logon Activity 201

10.3. Automate Sign-in to Netwrix Auditor Client 201

10.4. Customize Branding 202

10.4.1. Customize Branding in AuditIntelligence Outputs 202

10.4.2. Customize Branding in Reports 203

11. Appendix 206

11.1. Network Traffic Compression 206

Index 208

7/211
Netwrix Auditor Administration Guide

1. Introduction

1. Introduction
Looking for online version? Check out Netwrix Auditor help center.

This guide is intended for Netwrix Auditor global administrators and configurators, provides step–by–step
instructions on how to start monitoring your environments, create monitoring plans, configure Audit
Database settings and email notifications. It also provides information on fine- tuning the product,
additional configuration, etc.

This guide is intended for developers and Managed Service Providers. It provides instructions on how to
use Netwrix Auditor Configuration API for managing Netwrix Auditor configuration objects.

NOTE: It assumed that document readers have prior experience with RESTful architecture and solid
understanding of HTTP protocol. Technology and tools overview is outside the scope of the current
guide.

The product functionality described in this guide applies to Netwrix Auditor Standard Edition. Note that
Free Community Edition provides limited functionality. See Product Editions for more information.

1.1. Netwrix Auditor Features and Benefits


Netwrix Auditor is a visibility platform for user behavior analysis and risk mitigation that enables control
over changes, configurations and access in hybrid IT environments to protect data regardless of its
location. The platform provides security analytics to detect anomalies in user behavior and investigate
threat patterns before a data breach occurs.

Netwrix Auditor includes applications for Active Directory, Active Directory Federation Services, Azure AD,
Exchange, Office 365, Windows file servers, EMC storage devices, NetApp filer appliances, Nutanix Files,
network devices, SharePoint, Oracle Database, SQL Server, VMware, Windows Server, and User Activity.
Empowered with a RESTful API, the platform delivers visibility and control across all of your on-premises or
cloud-based IT systems in a unified way.

Major benefits:

l Detect insider threats—on premises and in the cloud

l Pass compliance audits with less effort and expense

l Increase productivity of IT security and operations teams

To learn how Netwrix Auditor can help your achieve your specific business objectives, refer to Netwrix
Auditor Best Practices Guide.

The table below provides an overview of each Netwrix Auditor application:

8/211
Netwrix Auditor Administration Guide

1. Introduction

Application Features

Netwrix Auditor for Active Netwrix Auditor for Active Directory detects and reports on all changes
Directory made to the managed Active Directory domain, including AD objects,
Group Policy configuration, directory partitions, and more. It makes
daily snapshots of the managed domain structure that can be used to
assess its state at present or at any moment in the past. The product
provides logon activity summary, reports on interactive and non-
interactive logons including failed logon attempts.

Also, Netwrix Auditor for Active Directory helps address specific


tasks—detect and manage inactive users and expiring passwords. In
addition, Netwrix Auditor for Active Directory provides a stand-alone
Active Directory Object Restore tool that allows reverting unwanted
changes to AD objects down to their attribute level.

Netwrix Auditor for Azure AD Netwrix Auditor for Azure AD detects and reports on all changes made
to Azure AD configuration and permissions, including Azure AD
objects, user accounts, passwords, group membership, and more. The
products also reports on successful and failed logon attempts.

Netwrix Auditor for Exchange Netwrix Auditor for Exchange detects and reports on all changes made
to Microsoft Exchange configuration and permissions. In addition, it
tracks mailbox access events in the managed Exchange organization,
and notifies the users whose mailboxes have been accessed by non–
owners.

Netwrix Auditor for Exchange Netwrix Auditor for Exchange Online detects and reports on all
Online changes made to Microsoft Exchange Online.

The product provides auditing of configuration and permissions


changes. In addition, it tracks mailbox access events in the managed
Exchange Online organization, and notifies the users whose mailboxes
have been accessed by non–owners.

Netwrix Auditor for Netwrix Auditor for SharePoint Online detects and reports on all
SharePoint Online changes made to SharePoint Online.

The product reports on read access and changes made to SharePoint


Online sites, including modifications of content, security settings, and
sharing permissions. In addition to SharePoint Online, OneDrive for
Business changes are reported too.

Netwrix Auditor for Windows Netwrix Auditor for Windows File Servers detects and reports on all
File Servers changes made to Windows–based file servers, including modifications
of files, folders, shares and permissions, as well as failed and successful
access attempts.

9/211
Netwrix Auditor Administration Guide

1. Introduction

Application Features

Netwrix Auditor for EMC Netwrix Auditor for EMC detects and reports on all changes made to
EMC VNX/VNXe and Isilon storages, including modifications of files,
folders, shares and permissions, as well as failed and successful access
attempts.

Netwrix Auditor for NetApp Netwrix Auditor for NetApp detects and reports on all changes made
to NetApp Filer appliances both in cluster- and 7- modes, including
modifications of files, folders, shares and permissions, as well as failed
and successful access attempts.

Netwrix Auditor for Nutanix Netwrix Auditor for Nutanix Files detects and reports on changes
Files made to SMB shared folders, subfolders and files stored on the
Nutanix File Server, including failed and successful attempts.

Netwrix Auditor for Oracle Netwrix Auditor for Oracle Database detects and reports on all
Database changes made to your Oracle Database instance configuration,
privileges and security settings, including database objects and
directories, user accounts, audit policies, sensitive data, and triggers.
The product also reports on failed and successful access attempts.

Netwrix Auditor for Netwrix Auditor for SharePoint detects and reports on read access
SharePoint and changes made to SharePoint farms, servers and sites, including
modifications of content, security settings and permissions.

Netwrix Auditor for SQL Server Netwrix Auditor for SQL Server detects and reports on all changes to
SQL Server configuration, database content, and logon activity.

Netwrix Auditor for VMware Netwrix Auditor for VMware detects and reports on all changes made
to ESX servers, folders, clusters, resource pools, virtual machines and
their virtual hardware configuration.

Netwrix Auditor for Windows Netwrix Auditor for Windows Server detects and reports on all
Server changes made to Windows– based server configuration, including
hardware devices, drivers, software, services, applications, networking
settings, registry settings, DNS, and more. It also provides automatic
consolidation and archiving of event logs data. With a stand-alone
Event Log Manager tool, Netwrix Auditor collects Windows event logs
from multiple computers across the network, stores them centrally in
a compressed format, and enables convenient analysis of event log
data.

Netwrix Auditor for User Netwrix Auditor for User Sessions detects and reports on all user
Activity actions during a session with the ability to monitor specific users,
applications and computers. The product can be configured to capture
a video of users' activity on the audited computers.

10/211
Netwrix Auditor Administration Guide

1. Introduction

1.2. How It Works


Netwrix Auditor provides comprehensive auditing of applications, platforms and storage systems. Netwrix
Auditor architecture and components interactions are shown in the figure below.

l Netwrix Auditor Server — the central component that handles the collection, transfer and
processing of audit data from the various data sources (audited systems). Data from the sources not
yet supported out of the box is collected using RESTful Integration API.

l Netwrix Auditor Client — a component that provides a friendly interface to authorized personnel
who can use this console UI to manage Netwrix Auditor settings, examine alerts, reports and search
results. Other users can obtain audit data by email or with 3rd party tools — for example, reports can
be provided to the management team via the intranet portal.

l Data sources — entities that represent the types of audited systems supported by Netwrix Auditor
(for example, Active Directory, Exchange Online, NetApp storage system, and so on), or the areas you
are interested in (Group Policy, User Activity, and others).

l Long-Term Archive — a file-based repository storage keeps the audit data collected from all your
data sources or imported using Integration API in a compressed format for a long period of time.
Default retention period is 120 months.

l Audit databases — these are Microsoft SQL Server databases used as operational storage. This type
of data storage allows you to browse recent data, run search queries, generate reports and alerts.
Typically, data collected from the certain data source (for example, Exchange Server) is stored to the
dedicated Audit database and the long-term archive. So, you can configure as many databases as the
data sources you want to process. Default retention period for data stored in the Audit database is
180 days.

11/211
Netwrix Auditor Administration Guide

1. Introduction

1.2.1. Workflow Stages


General workflow stages are as follows:

1. Authorized administrators prepare IT infrastructure and data sources they are going to audit, as
recommended in Netwrix Auditor documentation and industry best practices; they use Netwrix
Auditor client (management UI) to set up automated data processing.

2. Netwrix Auditor collects audit data from the specified data source (application, server, storage
system, and so on).

To provide a coherent picture of changes that occurred in the audited systems, Netwrix Auditor can
consolidate data from multiple independent sources (event logs, configuration snapshots, change
history records, etc.). This capability is implemented with Netwrix Auditor Server and Integration API.

NOTE: For details on custom data source processing workflow, refer to the Integration API
documentation.

3. Audit data is stored to the Audit databases and the repository (Long-Term Archive) and preserved
there according to the corresponding retention settings.

4. Netwrix Auditor analyzes the incoming audit data and alerts appropriate staff about critical changes,
according to the built-in alerts you choose to use and any custom alerts you have created.
Authorized users use the Netwrix Auditor Client to view pre-built dashboards, run predefined reports,
conduct investigations, and create custom reports based on their searches. Other users obtain the
data they need via email or third-party tools.

5. To enable historical data analysis, Netwrix Auditor can extract data from the repository and import it
to the Audit database, where it becomes available for search queries and report generation.

12/211
Netwrix Auditor Administration Guide

2. Launch Netwrix Auditor

2. Launch Netwrix Auditor


To start using Netwrix Auditor

l Navigate to Start → Netwrix Auditor → Netwrix Auditor. You will see the Welcome page:

13/211
Netwrix Auditor Administration Guide

3. Role-Based Access and Delegation

3. Role-Based Access and


Delegation
Security and awareness of who has access to what is crucial for every organization. Besides notifying you on
who changed what, when and where , and who has access to what in your IT infrastructure, Netwrix pays
attention to safety of its own configuration and collected data.

To keep the monitoring process secure, Netwrix suggests configuring role-based access. Delegating control
ensures that only appropriate users can modify the product configuration or view audit data, based on
your company policies and the user's job responsibilities.

Use intelligence data Configure monitoring


Netwrix Auditor

Global administrator

Global reviewer Contributor


Entire
CISO Integration add-on
environment

Limited
to delegated
scope
Reviewer Configurator
Helpdesk personnel Infrastructure Engineer
DB Admin

Subscriptions & alerts

Senior managers

Roles are described briefly in the table below and explained in the further detail in the next topic.

Role Access level Recommended use

Global Full control. Access to global The role should be assigned to a very limited
administrator settings, monitoring plan number of employees—typically, only the owner
configuration, collected data, of the Netwrix Auditor Server host in your
access delegation, etc. environment.

14/211
Netwrix Auditor Administration Guide

3. Role-Based Access and Delegation

Role Access level Recommended use

By default, the user who installed Netwrix Auditor


is assigned the Global administrator role. All
members of the local Administrators group are
Global administrators too.

Configurator Access to monitoring plan The role is appropriate for system administrators,
configuration within the infrastructure engineers, and members of
delegated scope: a operations team who manage network and
monitoring plan or a folder services in your organization but should not have
with monitoring plans access to sensitive data.

Global reviewer Access to all data collected The role is appropriate for key employees who
by Netwrix Auditor and need to review audit data collected across various
intelligence and visibility data sources— typically, IT managers, chief
features. information security officer, and so on.

Reviewer Access to data collected by The role is appropriate for members of security
Netwrix Auditor and team and helpdesk personnel who are responsible
intelligence and visibility for mitigating risks in a certain sector of your
features within the delegated environment (e.g., domain, file share).
scope.
This role is granted to specialists who use Netwrix
Auditor Integration API to retrieve data from the
Audit Database.

Contributor Write access to Netwrix This service role is granted to specialists who use
Auditor Server and Audit Netwrix Auditor Integration API to write data to
Database. the Audit Database. This role is also granted to
service accounts or any accounts used for
interaction with Netwrix Auditor Server (e.g., add-
on scripts).

3.1. Compare Roles


Feature Global Global Reviewer Configurator Contributor
administrator reviewer

Launch Netwrix + + + + +
Auditor client

Delegate control, + – – – –
grant and revoke
permissions

15/211
Netwrix Auditor Administration Guide

3. Role-Based Access and Delegation

Feature Global Global Reviewer Configurator Contributor


administrator reviewer

View global settings + Some Some Some Some

Modify global + – – – –
settings (including
default Audit
Database, licenses,
retention settings,
etc.)

Monitoring plan configuration

List folders + + + + +

Add, remove, rename + – – Some –


folders
Only under
assigned
folders
provided that
directly
assigned roles
do not
conflict.

List monitoring + + + + +
plans, review status

Add, remove, rename + – – Some –


monitoring plans
Only under
assigned
folders
provided that
directly
assigned roles
do not
conflict.

Modify monitoring + Some Some Some –


plan settings
Add and Add and Restricted to
remove remove the delegated
Activity Activity scope (folder
Summary Summary or monitoring

16/211
Netwrix Auditor Administration Guide

3. Role-Based Access and Delegation

Feature Global Global Reviewer Configurator Contributor


administrator reviewer

recipients recipients plan)


within the
delegated
scope

List data sources and + + + + +


items in monitoring
plan

Add, modify, remove + – – Some –


data sources, enable
Restricted to
or disable auditing
the delegated
scope (folder
or monitoring
plan)

Add, modify, remove + – – Some –


items in monitoring
Restricted to
plan
the delegated
scope (folder
or monitoring
plan)

Manage state-in-time + + – – –
data, upload
snapshots to the
Audit Database

Intelligence

List reports + + + + +

Generate reports + + Some – –

Restricted to
the delegated
scope (folder
or monitoring
plan)

List report + + + + +
subscriptions

17/211
Netwrix Auditor Administration Guide

3. Role-Based Access and Delegation

Feature Global Global Reviewer Configurator Contributor


administrator reviewer

Create, modify, + + – – –
remove
subscriptions

See search results + + Some – –

Restricted to
the delegated
scope (folder
or monitoring
plan)

List, create, modify, + + + + - (only can


delete custom list)
reports

List alerts + + + + +

Create, modify, + + – – –
delete alerts

Import investigation + – – – –
data from the Long-
Term Archive

View investigation + + – – –
data

View Behavior + + – – –
Anomalies list

Review user profile + + – – –

Update anomaly + + – – –
status

Risk Assessment Overview dashboard and drill-down reports

View Risk + + Some - -


Assessment Restricted to
Overview results delegated
(dashboard, drill- scope (folder
down reports) or monitoring
plan)

18/211
Netwrix Auditor Administration Guide

3. Role-Based Access and Delegation

Feature Global Global Reviewer Configurator Contributor


administrator reviewer

Modify risk level + + - - -


thresholds

Customize risk + + - - -
indicators

Netwrix Auditor Integration API

Write Activity + – – – +
Records

Retrieve Activity + + + – –
Records
Restricted to
the delegated
scope (folder
or monitoring
plan)

3.2. Assign Roles

3.2.1. Understand Scopes and Assign Roles Correctly


NOTE: Only Global administrator can delegate control, grant and revoke permissions.

Netwrix Auditor allows assigning roles not only on the product as a whole but also on a specific scope that
can be limited to a single monitoring plan or to the contents of a folder. This is helpful when you want to
achieve more granular separation of duties with the product. For example, to ensure that database
administrators (DBAs) have no access to Active Directory management data, domain administrators have
no permissions to view database schema changes or update data collection settings.

Global administrator, Global reviewer, and Contributor roles are assigned on the global scope only. On
folder and plan levels, you may leverage role separation capabilities too: designate Configurators and
Reviewers. The roles are inherited from a higher level and cannot be revoked locally, i.e., Global reviewer
has access to all collected data while local Reviewer can generate reports and run search on data limited to
his or her scope.

Scope Roles

Global (All monitoring plans) Global administrator

Global reviewer

19/211
Netwrix Auditor Administration Guide

3. Role-Based Access and Delegation

Scope Roles

Contributor

Folder level Configurator

Reviewer

Plan level Configurator

Reviewer

To delegate control to some scope, review, or revoke assigned roles

1. On the main Netwrix Auditor page, navigate to the Monitoring Plans section.

2. Browse your monitoring plans tree and select the scope you want to delegate to a user (e.g., All
monitoring plans root folder, a folder, or a monitoring plan).

3. Click Delegate.

4. Review roles that are already defined for this scope.

5. Do one of the following:

To Do

Assign a role 1. Select Add User.

2. In the dialog that opens, specify a user (or a group) and a role.

Revoke a role assignment


l Click next to the user.

6. Click Save or Save&Close.

Along with adding a new Global administrator , Global reviewer , or Reviewer , Netwrix Auditor will
automatically assign this user the Browser role on the Report Server. The Browser role is required to
generate reports and is granted on all reports or within a delegated scope. If for some reason, Netwrix
Auditor is unable to grant the Browser role, configure it manually. See Netwrix Auditor Installation and
Configuration Guide for more information.

3.2.2. Review Default Role Assignments


By default, some accounts and local groups are assigned the following roles:

Account or group name Role

Local Administrators Global administrator

20/211
Netwrix Auditor Administration Guide

3. Role-Based Access and Delegation

Account or group name Role

Local service accounts Global administrator

NOTE: Netwrix Auditor uses system accounts for data processing and
interaction between product components.

Netwrix Auditor Global administrator


Administrators

Netwrix Auditor Client Global reviewer


Users

During the Netwrix Auditor Server installation, Netwrix Auditor Administrators and Netwrix Auditor
Client Users groups are created automatically. To delegate control through group membership, add users
to these groups on the computer where Netwrix Auditor Server resides. Keep in mind that users will be
granted roles with extended permissions while it may be reasonable to limit their scope to a specific
monitoring plan.

To add an account to a group

1. On the computer where Netwrix Auditor Server is installed, start the Local Users and Computers
snap-in.

2. Navigate to the Groups node and locate the Netwrix Auditor Administrators or Netwrix Auditor
Client Users group.

3. In the group properties, click Add.

4. Specify users you want to be included in this group.

21/211
Netwrix Auditor Administration Guide

3. Role-Based Access and Delegation

3.3. Provide Access to a Limited Set of Data


By default, only users designated in Netwrix Auditor are allowed to view its configuration and collected
data. This policy ensures that only authorized and trustworthy users access sensitive data and make
changes.

However, in some cases, organizations need to provide certain employees with access to a limited set of
audit data. For example, an auditor might need to review particular access reports once or twice a year. You
can provide these users (recipients) with means to review the data they need without actually running
Netwrix Auditor. This ensures that dedicated specialists have access to the data while preventing data
breaches and ensuring that sensitive data is not being distributed across the whole company.

Netwrix recommends granting limited access permissions to employees who need to:

l Review audit data periodically in accordance with company policy

l Review audit data accumulated over time

l Be notified only in case of a rare incident

To grant limited access to audit data, you can:

Do.. Recommended use

Schedule email This is helpful when you want to share information with a group of employees,
report external consultants, auditors, and so on. Reports are sent according to a specified
subscriptions schedule and recipients can review them, but they do not have any other means
to access audit data. Basically, this option is enough for employees who are
interested in a high- level summary— for example, an auditor who performs
monthly access rights attestation on critical folders or a senior manager.

Publish reports to This scenario works great for a helpdesk with several departments. Assume, each

22/211
Netwrix Auditor Administration Guide

3. Role-Based Access and Delegation

Do.. Recommended use

file shares department has its own field of responsibility and must not disclose information to
other departments. You can configure Netwrix Auditor to publish reports to
folders that can be accessed by employees from a specific department only. You
might set up the following folders and permissions:

l The user support team has access to a folder with reports on account
lockouts and password resets.

l File server helpdesk personnel have access to a different folder with daily
reports listing all file removals.

l The helpdesk supervisor has access to both folders.

Configure alerts This is helpful for rare occasions when you have to notify some senior specialists
about critical system state that has to be addressed immediately, e.g., CISO must
mitigate risks in the event of massive deletions in the sensitive data storage.

23/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

4. Monitoring Plans
To start auditing your environment and analyzing user behavior with Netwrix Auditor, create a monitoring
plan.

A monitoring plan defines data collection, notification, and storage settings.

To start collecting data, and add items to its scope.

So, to collect data from your environment, you need to do the following:

1. Create a monitoring plan with a wizard. See Create a New Plan for more information.

2. Fine-tune data source settings, if necessary: use the data source properties to modify data collection
settings, customize the monitoring scope, and so on. See Manage Data Sources for more information.

3. Add items to be monitored. An item is a specific object you want to audit, e.g., a VMware server or a
SharePoint farm. As soon as the item is added, to the monitoring plan, Netwrix Auditor starts
collecting data from it. See Add Items for Monitoring for more information.

To view and modify your plans, in the main Netwrix Auditor window click the Monitoring Plans tile, then
expand the All Monitoring Plans tree.

To.. Do..

See how data collection goes Click on a plan name. You will see all data sources included in the plan
on and data collection status for each data source.

Start data collection 1. Select a plan and click Edit.


manually
2. In the monitoring plan window, click Update in the right pane.

Data collection will be started (status for the data sources will be
displayed as Working).
Do the same if you need to generate Activity Summary with the latest
changes. See Launch Data Collection Manually and Update Status for
details.

View collected data 1. Select a plan and click Edit.

2. In the right pane, go to the Intelligence section (in the bottom)


and click Search.

The search page will appear, displaying the collected data filtered out
accordingly (i.e. provided by this monitoring plan).

Modify plan settings, add or Select a plan and click Edit . On the page that opens, review your plan
delete data sources, add or settings. Then follow the instructions described in these sections:
delete items
l Manage Data Sources

24/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

To.. Do..

l Add Items for Monitoring

l Fine-Tune Your Plan and Edit Settings

Assign roles Click Delegate to review current delegations and assign roles. You can
delegate control over a monitoring plan to another administrator, or
grant read access—Reviewer role—to the data collected by this plan.

To simplify delegation, you can further organize the monitoring plans


into folders.

See Role-Based Access and Delegation for more information.

4.1. Create a New Plan


To create monitoring plans, user account must be assigned the Global administrator in Netwrix Auditor.
Users with the Configurator role can create plans only within a delegated folder. See Role-Based Access and
Delegation for more information.

To start creating a plan, do any of the following:

l On the main Netwrix Auditor page, in the Quick Start section, click the tile with a data source of your
choice, e.g., Active Directory. If you need a data source that is not listed on the main page, click All
data sources.

l On the main Netwrix Auditor page, in the Configuration section, click the Monitoring Plans tile. On
the Monitoring Plans page, select Add Plan.

Then follow the steps of the Monitoring Plan Wizard:

l Choose a data source for monitoring

l Specify an account for collecting data

l Specify default SQL Server instance and configure the Audit Database to store your data

l Configure notification settings

l Specify the recipients who will receive daily activity summaries

l Specify a plan name

4.1.1. Settings for Data Collection


At this step of the wizard, specify the account that Netwrix Auditor will use to access the data source, and
general settings for data collection.

25/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

Option Description

Specify the account for Provide a user name and a password for the account that Netwrix Auditor
collecting data will use to collect data. By default, the user name is prepopulated with your
account name.

Make sure the account has sufficient permissions to collect data. For a full list
of the rights and permissions, and instructions on how to configure them,
refer to Configure Data Collecting Account . Netwrix recommends creating a
special service account with extended permissions.

When you configure a monitoring plan for the first time, the account you
specify for data collection will be set as default.

Enable network traffic If selected, this option instructs Netwrix Auditor to deploy a special utility
compression that will run on the audited computers and do the following:

l collect and pre-filter audit data

l compress data and forward it to Netwrix Auditor Server

This approach helps to optimize load balance and reduce network traffic. So,
using this option can be recommended especially for distributed networks
with remote locations that have limited bandwidth. See Network Traffic

26/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

Option Description

Compression for more information.

Adjust audit settings Netwrix Auditor can configure audit settings in your environment
automatically automatically. Select Adjust audit settings automatically . In this case,
Netwrix Auditor will continually check and enforce the relevant audit policies.
For some data sources (currently, Active Directory and Logon Activity) you
will be offered to launch a special utility that will detect current audit settings,
check them against requirements and then adjust them automatically. See
Audit Configuration Assistant for details.

You may also want to apply audit settings via GPO (for example, for Windows
Servers).

NOTE: Netwrix Auditor has certain limitations when configuring audit


settings for NetApp and EMC. See File Servers for more information.

For a full list of audit settings and instructions on how to configure them
manually, refer to Configure IT Infrastructure for Auditing and Monitoring.

Launch Audit Click to launch a specially intended utility that will assess your environment
Configuration Assistant readiness for monitoring and adjust audit settings, if necessary. The tool will
be launched in a new window. See Audit Configuration Assistant for details.

Collect data for state-in- State-in-time reports are based on the daily configuration snapshots of your
time reports audited systems; they help you to analyze particular aspects of the
environment. State-in-time configuration snapshots are also used for IT risks
assessment metrics and reports.

This data collection option is available if you are creating a monitoring plan
for any of the following data sources:

l Active Directory

l File Servers

l Windows Server

l Group Policy

l SharePoint

l SharePoint Online

l Exchange Online

To read more, refer to State– in– Time Reports and IT Risk Assessment
Overview .

27/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

4.1.2. Default SQL Server Instance


To provide searching, alerting and reporting capabilities, Netwrix Auditor needs an SQL Server where audit
data will be stored in the databases. To store data from the data sources included in the monitoring plan,
the wizard creates an Audit Database for each plan. At this step, you should specify the default SQL Server
instance that will host Netwrix Auditor databases. To read more, refer to SQL Server and Audit Database.

NOTE: Alternatively, you can instruct Netwrix Auditor not to store data to the databases but only to the
repository (Long-Term Archive) – in this scenario, you will only be able to receive activity summaries.
Reporting and alerting capabilities will not be provided.

NOTE: Netwrix Auditor skips this step if you have already configured Audit Database settings for other
monitoring plans.

Select one of the following options:

l Disable security intelligence and make data available only in activity summaries — select this
option if you do not want audit data to be written to the Audit Database. In this case, data will be
available only in Activity Summary emails. Alerts, reports and search capabilities will not be
supported.

NOTE: If you later clear this option to start saving data to the database, consider that already
collected audit data will not be imported in that database.

l Install a new instance of Microsoft SQL Server Express automatically — this option is available
at the first run of the wizard. It allows you to deploy SQL Server 2016 SP2 Express with Advanced
Services on the local machine. This SQL Server will be used as default host for Netwrix Auditor
databases.

NOTE: It is strongly recommended that you plan for your databases first, as described in Database
Sizing section. Remember that database size in SQL Server Express edition may be insufficient
for your audited infrastructure.

l Use an existing SQL Server instance — select this option to use an existing SQL Server instance.

NOTE: Local SQL Server instance is detected automatically, and input fields are pre-populated with its
settings.

Complete the following fields:

Option Description

SQL Server instance Specify the name of the SQL Server instance to store audit data.

NOTE: If you have more than one Netwrix Auditor Server running
in your network, make sure to configure them to use
different SQL Server instances. The same SQL Server

28/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

Option Description

instance cannot be used to store audit data collected by


several Netwrix Auditor Servers.

Authentication Select the authentication type you want to use to connect to the
SQL Server instance:

l Windows authentication

l SQL Server authentication

User name Specify the account to be used to connect to the SQL Server
instance.

NOTE: This account must be granted the database owner (db_


owner) role and the dbcreator server role. See Configure
Audit Database Account for more information.

Password Enter a password.

4.1.3. Database Settings


At this step, you need to specify a database where Netwrix Auditor will store data collected from the data
sources included in this monitoring plan.

NOTE: It is strongly recommended to target each monitoring plan at a separate database.

You can use default settings for your SQL Server instance or modify them (e.g., use a different
authentication method or user). You can also change these settings later. See Audit Database for more
information.

29/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

Configure the following:

Setting Description

Disable security intelligence ... Only select this option if you do not want your data to
be stored in the database. In this case, you will only be
able to receive activity summaries. Reporting and
alerting capabilities will not be provided.

To store data to the database, leave this check box


cleared.

Database Default database name is Netwrix_Auditor_<monitoring_


plan_name>.

It is recommended that you enter a meaningful name


for the database here. It may include the data source
type (e.g. Exchange_Audit_Data or OracleSrv02_Audit_
Data ), or so.

If you decided to use the existing SQL Server instance


instead of dedicated, you may want to use Netwrix_
Auditor prefix to distinguish Netwrix Auditor databases

30/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

Setting Description

from others.

Use default SQL Server settings Select this option if you want Netwrix Auditor to connect
to the SQL Server instance using the default settings you
specified Default SQL Server Instance .

Specify custom connection parameters Select this option to use custom credentials when
connecting to SQL Server. Specify authentication
method and the account that Netwrix Auditor will use.

Make sure this account has sufficient rights to connect


to SQL Server and work with the databases. See
Configure Audit Database Account for details.

Netwrix Auditor will connect to the default SQL Server instance and create a database with the specified
name on it.

NOTE: Global settings that apply to all databases with audit data (including retention period and SSRS
server used for reporting) are available on the Audit Database page of Netwrix Auditor settings.
See Audit Database for details.

4.1.4. SMTP Server Settings


When you create the first monitoring plan, you are prompted to specify the email settings that will be used
for activity and health summaries, reports and alerts delivery. For the monitoring plans that follow, Netwrix
Auditor will automatically detect SMTP settings; however, for your first plan you should provide them
manually. See this section for details.

NOTE: You can skip this step if you do not want to receive email notifications, or configure SMTP settings
later, as described in the related section.

4.1.5. Email Notification Recipients


Specify who will receive daily emails: Activity Summary Email on changes in the monitored infrastructure,
and Health Summary Email on Netwrix Auditor operations and health.

Click Add Recipient and provide email address.

NOTE: It is recommended to click Send Test Email . The system will send a test message to the specified
email address and inform you if any problems are detected.

31/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

4.1.6. Monitoring Plan Summary


At this step of the wizard, to provide a meaningful name and optional description for your monitoring plan.

To start collecting data, you should specify the objects (items) that belong to the target data source and
should be processed according to the settings of this monitoring plan. For example, for Exchange data
source the item will be your Exchange server, for Windows Server data source - computer, IP range or AD
container, and so on. To add items right after finishing the monitoring plan wizard, select the Add item
now checkbox. See Add Items for Monitoring for details.

NOTE: A monitoring plan cannot collect data until at least one item is specified.

Some data sources require additional system components and updates to be installed on your computer.
In this case, Netwrix Auditor will inform you and prompt you to check data source prerequisites instead of
adding an item.

NOTE: Netwrix Auditor for Oracle Database incompatible with Oracle Data Access Components for .Net
Framework 4.0 and above. Check that the .Net Framework 3.5 feature is enabled prior to
downloading prerequisites.

Once you complete the wizard, you can:

l Add items to your plan

l Add more data sources

l Customize data source's scope and settings (e.g., enable read access auditing)

l Fine-tune or modify plan settings

l Delegate control of the plan configuration or collected data to other users.

4.2. Manage Data Sources


You can fine-tune data collection for each data source. Settings that you configure for the data source will
be applied to all items belonging to that data source. Using data source settings, you can, for example:

l Enable state-in-time data collection (currently supported for several data sources)

l Depending on the data source, customize the monitoring scope (e.g., enable read access auditing,
monitoring of failed attempts)

NOTE: To add, modify and remove data sources, enable or disable monitoring, you must be assigned the
Global administrator role in the product or the Configurator role on the plan. See Role-Based Access
and Delegation for more information.

32/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

To modify data source settings:

1. Select the monitoring plan you need and click Edit.

2. Within the monitoring plan window, highlight the data source (the first one is the row right under the
blue table header) and click Edit data source on the right:

3. Modify data source settings as you need.

4. When finished, click Save.

Review the following for additional information:

l Active Directory

l Azure AD

l Exchange

l Exchange Online

l File Servers

l Group Policy

l Logon Activity

l Oracle Database

l SharePoint

l SharePoint Online

33/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

l SQL Server

l User Activity

l Windows Server

l VMware

l Netwrix API

Also, you can add a data source to the monitoring plan, or remove a data source that is no longer needed.

To add a data source to existing plan

1. Select the monitoring plan you need and click Edit.

2. In the right pane, select Add data source.

3. Specify a data source.

4. Configure settings specific to your data source.

5. When finished, click the Add button to save the settings.

4.2.1. Active Directory


Complete the following fields:

Option Description

General

Monitor this data source and Enable monitoring of the selected data source and configure Netwrix
collect activity data Auditor to collect and store audit data.

Monitor Active Directory Select which of your Active Directory environment partitions you
partitions want to audit. By default, Netwrix Auditor only tracks changes to the
Domain partition and the Configuration partition of the audited
domain. If you also want to audit changes to the Schema partition,
or to disable auditing of changes to the Configuration partition,
select one of the following:

l Domain—Stores users, computers, groups and other objects.


Updates to this partition are replicated only to domain
controllers within the domain.

l Configuration — Stores configuration objects for the entire


forest. Updates to this partition are replicated to all domain
controllers in the forest. Configuration objects store the
information on sites, services, directory partitions, etc.

34/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

Option Description

l Schema —Stores class and attribute definitions for all existing


and possible Active Directory objects. Updates to this partition
are replicated to all domain controllers in the forest.

NOTE: You cannot disable auditing the Domain partition for


changes.

Detect additional details Specify additional information to include in reports and activity
summaries. Select Group membershipif you want to include Group
membership of the account under which the change was made.

Specify data collection method You can enable network traffic compression. If enabled, a
Compression Service will be automatically launched on the audited
computer, collecting and prefiltering data. This significantly improves
data transfer and minimizes the impact on the target computer
performance.

Configure audit settings You can adjust audit settings automatically. Your current audit
settings will be checked on each data collection and adjusted if
necessary.

NOTE: This method is recommended for evaluation purposes in test


environments. If any conflicts are detected with your current
audit settings, automatic audit configuration will not be
performed.

Do not select the checkbox if you want to configure audit settings


manually. For a full list of audit settings required to collect
comprehensive audit data and instructions on how to configure
them, refer to Netwrix Auditor Installation and Configuration Guide.

Collect data for state- in- time Configure Netwrix Auditor to store daily snapshots of your Active
reports Directory domain configuration required for further state-in-time
reports generation. See State–in–Time Reports for more
information.

The product updates the latest snapshot on the regular basis to


keep users up-to-date on actual system state. Only the latest
snapshot is available for reporting in Netwrix Auditor.

If you want to generate reports based on different snapshots, you


must import snapshots to the Audit Database.

For that, in the Manage historical snapshots section, click Manage


and select the snapshots that you want to import.

35/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

Option Description

NOTE: To import snapshots, you must be assigned the Global


administrator or the Global reviewer role .

Move the selected snapshots to the Snapshots available for


reporting list using the arrow button. When finished, click OK .

Users

Specify monitoring restrictions Select the users to be excluded from search results, reports and
Activity Summaries. To add users to the list, click Add. Then, provide
the user name in the domain\user format. For example:
mydomain\user1. Consider the following:

l Use NetBIOS domain name format.

l You can provide the " System " value to exclude events
containing the “ System ” instead of an account name in the
“ Who” column.

TIP: In addition to the restrictions for a monitoring plan, you can use
the *.txt files to collect more granular audit data. Note that
the new monitoring scope restrictions apply together with
previous exclusion settings configured in the *.txt files.
Review the following for more information: Exclude Objects
from Monitoring Scope

Objects

Specify monitoring restrictions Specify restrictions for your Active Directory objects. You can
Monitor all objects or create lists of specific objects to include and /
or exclude from your monitoring scope (search results, reports and
Activity Summaries).

Click Add and enter an object path using one of the following
formats:

l Canonical name – example:


mydomain.local/Computers/filesrv01

OR

l Object path as shown in the "What" column of reports and


search results – example: \local\mydomain\Computers\filesrv01

NOTE: You can use a wildcard (*) to replace any number of


characters in the path. Example:

36/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

Option Description

l dc11.local/OU omits all objects within the OU, but not the OU
itself.

l dc11.local/OU/* omits all objects within it and in all child OUs,


but not the OU itself.

l dc11.local/OU* omits OU itself, all objects within it and in all


child OUs.

TIP: In addition to the restrictions for a monitoring plan, you can use
the *.txt files to collect more granular audit data. Note that
the new monitoring scope restrictions apply together with
previous exclusion settings configured in the *.txt files.
Review the following for more information: Exclude Objects
from Monitoring Scope

Review your data source settings and click Add to go back to your plan. The newly created data source will
appear in the Data source list. As a next step, click Add item to specify an object for monitoring. See Add
Items for Monitoring for more information.

4.2.2. Azure AD
Complete the following fields:

Option Description

Monitor this data source and Enable monitoring of the selected data source and configure Netwrix
collect activity data Auditor to collect and store audit data.

Monitor Azure AD logon activity Specify what types of logon events you want to monitor:

l Failed logons

l Successful logons

Review your data source settings and click Add to go back to your plan. The newly created data source will
appear in the Data source list. As a next step, click Add item to specify an object for monitoring. See Add
Items for Monitoring for more information.

4.2.3. Active Directory Federation Server (AD FS)


Complete the following fields:

37/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

Option Description

Monitor this data source and Enable monitoring of the selected data source and configure Netwrix
collect activity data Auditor to collect and store audit data.

Schedule AD FS logons Specify period for AD FS logons collection.


collection

Specify data collection method You can enable network traffic compression. If enabled, a
Compression Service will be automatically launched on the audited
computer, collecting and pre-filtering data. This significantly
improves data transfer and minimizes the impact on the target
computer performance.

Configure audit settings You can adjust audit settings automatically. Your current audit
settings will be checked on each data collection and adjusted if
necessary.

NOTE: If any conflicts are detected with your current audit settings,
automatic audit configuration will not be performed.

Do not select the checkbox if you want to configure audit settings


manually. For a full list of audit settings required to collect
comprehensive audit data and instructions on how to configure
them, refer to Configure IT Infrastructure for Auditing and
Monitoring.

Review your data source settings and click Add to go back to your plan. The newly created data source will
appear in the Data source list. As a next step, click Add item to specify an object for monitoring. See Add
Items for Monitoring for more information.

4.2.4. Exchange
Complete the following fields:

Option Description

Monitor this data source and Enable monitoring of the selected data source and configure Netwrix
collect activity data Auditor to collect and store audit data.

Detect additional details Specify additional information to include in reports and activity
summaries. Select Group membershipif you want to include Group
membership of the account under which the change was made.

Specify data collection method You can enable network traffic compression. If enabled, a
Compression Service will be automatically launched on the audited

38/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

Option Description

computer, collecting and prefiltering data. This significantly improves


data transfer and minimizes the impact on the target computer
performance.

Configure audit settings You can adjust audit settings automatically. Your current audit
settings will be checked on each data collection and adjusted if
necessary.

NOTE: This method is recommended for evaluation purposes in test


environments. If any conflicts are detected with your current
audit settings, automatic audit configuration will not be
performed.

Do not select the checkbox if you want to configure audit settings


manually. For a full list of audit settings required to collect
comprehensive audit data and instructions on how to configure
them, refer to Netwrix Auditor Installation and Configuration Guide.

Collect data on non-owner Enable monitoring of unauthorized access to mailboxes within your
access to mailboxes Exchange organization. Configure the following:

l Enable automatic audit configuration — This method is


recommended for evaluation purposes in test environments.
For a full list of audit settings required for Netwrix Auditor to
collect comprehensive audit data and instructions on how to
configure them, refer to Netwrix Auditor Installation and
Configuration Guide .If you select to automatically configure
audit in the target environment, your current audit settings will
be checked on each data collection and adjusted if necessary.

If you want to configure audit manually, refer to Netwrix


Auditor Installation and Configuration Guide for a full list of
audit settings, and instructions on how to configure them.

l Notify users if someone gained access to their


mailboxes—Select this checkbox if you want to notify users on
non-owner access to their mailboxes.

l Notify only specific users—Select this checkbox and click Add


Recipient to specify the list of users who will receive
notifications on non-owner access to their mailboxes. Users not
included in this list will not be notified.

Review your data source settings and click Add to go back to your plan. The newly created data source will
appear in the Data source list. As a next step, click Add item to specify an object for monitoring. See Add
Items for Monitoring for more information.

39/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

4.2.5. Exchange Online


Complete the following fields:

Option Description

Monitor this data source and Enable monitoring of the selected data source and configure Netwrix
collect activity data Auditor to collect and store audit data.

Configure audit settings You can adjust audit settings automatically. Your current audit
settings will be checked on each data collection and adjusted if
necessary.

NOTE: This method is recommended for evaluation purposes in test


environments. If any conflicts are detected with your current
audit settings, automatic audit configuration will not be
performed.

Do not select the checkbox if you want to configure audit settings


manually. For a full list of audit settings required to collect
comprehensive audit data and instructions on how to configure
them, refer to Netwrix Auditor Installation and Configuration Guide.

Collect data for state- in- time Configure Netwrix Auditor to store daily snapshots of your Exchange
reports Online configuration required for further state-in-time reports
generation. See State–in–Time Reports for more information.

The product updates the latest snapshot on the regular basis to


keep users up-to-date on actual system state. Only the latest
snapshot is available for reporting in Netwrix Auditor.

NOTE: Import historical snapshots to Audit Database is not available


for Exchange Online.

Collect data on non-owner Enable monitoring of unauthorized access to mailboxes within your
access to mailboxes Exchange Online organization. Configure the following:

l Notify users if someone gained access to their


mailboxes—Select this checkbox if you want to notify users on
non-owner access to their mailboxes.

l Notify only specific users—Select this checkbox and click Add


Recipient to specify the list of users who will receive
notifications on non-owner access to their mailboxes. Users not
included in this list will not be notified.

40/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

Review your data source settings and click Add to go back to your plan. The newly created data source will
appear in the Data source list. As a next step, click Add item to specify an object for monitoring. See Add
Items for Monitoring for more information.

4.2.6. Group Policy


Complete the following fields:

Option Description

Monitor this data source and Enable monitoring of the selected data source and configure Netwrix
collect activity data Auditor to collect and store audit data.

Prerequisites Netwrix Auditor will automatically look up additional system


components and prompt you to install those that are missing. In
case all required components have been already installed, this
section will be omitted. See Netwrix Auditor Installation and
Configuration Guide for more information on software
requirements.

Detect additional details Specify additional information to include in reports and activity
summaries. Select Group membershipif you want to include Group
membership of the account under which the change was made.

Specify data collection method You can enable network traffic compression. If enabled, a
Compression Service will be automatically launched on the audited
computer, collecting and prefiltering data. This significantly improves
data transfer and minimizes the impact on the target computer
performance.

Configure audit settings You can adjust audit settings automatically. Your current audit
settings will be checked on each data collection and adjusted if
necessary.

NOTE: This method is recommended for evaluation purposes in test


environments. If any conflicts are detected with your current
audit settings, automatic audit configuration will not be
performed.

Do not select the checkbox if you want to configure audit settings


manually. For a full list of audit settings required to collect
comprehensive audit data and instructions on how to configure
them, refer to Netwrix Auditor Installation and Configuration Guide.

41/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

Review your data source settings and click Add to go back to your plan. The newly created data source will
appear in the Data source list. As a next step, click Add item to specify an object for monitoring. See Add
Items for Monitoring for more information.

4.2.7. File Servers


Complete the following fields:

Option Description

General

Monitor this data source Enable monitoring of the selected data source and configure Netwrix
and collect activity data Auditor to collect and store audit data.

Specify actions for Specify actions you want to track and auditing mode. Review the
monitoring following for additional information:

Changes
Successful Use this option to track changes to your data. Helps
find out who made changes to your files, including
their creation and deletion.
Failed Use this option to detect suspicious activity on your
file server. Helps identify potential intruders who tried
to modify or delete files, etc., but failed to do it.
Read access
Successful Use this option to supervise access to files containing
confidential data intended for privileged users. Helps
identify who accessed important files besides your
trusted users.

NOTE: Enabling this option on public shares will result


in high number of events generated on your
file server and the amount of data written to
the AuditArchive.
Failed Use this option to track suspicious activity. Helps find
out who was trying to access your private data
without proper justification.

NOTE: Enabling this option on public shares will result


in high number of events generated on your
file server and the amount of data written to
the AuditArchive.

42/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

Option Description

NOTE: Actions reported by Netwrix Auditor vary depending on the file


server type and the audited object (file, folder, or share). The
changes include creation, modification, deletion, moving, etc. To
track the copy action, enable successful read access and change
auditing. See Audited Object Types, Actions and Attributes for
more information.

Specify data collection You can enable network traffic compression. If enabled, a Compression
method Service will be automatically launched on the audited computer,
collecting and prefiltering data. This significantly improves data transfer
and minimizes the impact on the target computer performance.

NOTE: To collect data from 32- bit operating systems, network traffic
compression must be disabled.

To collect data from Windows Failover Cluster, network traffic


compression must be enabled.

See File Servers for more information.

Configure audit settings You can adjust audit settings automatically. Your current audit settings
will be checked on each data collection and adjusted if necessary.

NOTE: This method is recommended for evaluation purposes in test


environments. If any conflicts are detected with your current
audit settings, automatic audit configuration will not be
performed.

Do not select the checkbox if you want to configure audit settings


manually. For a full list of audit settings required to collect
comprehensive audit data and instructions on how to configure them,
refer to Netwrix Auditor Installation and Configuration Guide.

Some settings cannot be configured automatically. Netwrix Auditor has


the following limitations depending on your file server type.

File Server SACL SACL Policy Policy Log Log


Check Adjust Check Adjust Check Adjust

Windows + + + + + +

EMC Celerra\VNX + + + — + —

43/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

Option Description

File Server SACL SACL Policy Policy Log Log


Check Adjust Check Adjust Check Adjust

EMC Isilon n/a n/a + — n/a n/a

NetApp Data + + + + + +
ONTAP 7 and 8 in
7-mode

NetApp Clustered + + + + + —
Data ONTAP 8
and ONTAP 9

Nutanix Files n/a n/a + + n/a n/a

Collect data for state-in-time Configure Netwrix Auditor to store daily snapshots of your system
reports configuration required for further state-in-time reports generation. See
Netwrix Auditor Intelligence Guide for more information.

When auditing file servers, changes to effective access permissions can


be tracked in addition to audit permissions. By default, Combination of
file and share permissions is tracked. File permissions define who has
access to local files and folders. Share permissions provide or deny
access to the same resources over the network. The combination of both
determines the final access permissions for a shared folder—the more
restrictive permissions are applied. Upon selecting Combination of file
and share permissions only the resultant set will be written to the
Audit Database. Select File permissions option too if you want to see
difference between permissions applied locally and the effective file and
share permissions set. To disable auditing of effective access, unselect all
checkboxes under Include details on effective permissions.

In the Manage historical snapshots section, you can click Manage and
select the snapshots that you want to import to the Audit Database to
generate a report on the data source's state at the specific moment in
the past.

NOTE: You must be assigned the Global administrator or the Global


reviewer role to import snapshots.

Move the selected snapshots to the Snapshots available for reporting


list using the arrow button.

NOTE: The product updates the latest snapshot on the regular basis to

44/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

Option Description

keep users up to date on actual system state. Only the latest


snapshot is available for reporting in Netwrix Auditor. If you want
to generate reports based on different snapshots, you must
import snapshots to the Audit Database.

Users

Specify monitoring Select the users to be excluded from search results, reports and Activity
restrictions Summaries. To add users to the list, click Add . Then, provide the user
name in the domain\user format. For example: mydomain\user1 .
Consider the following:

l Use NetBIOS domain name format.

l You can provide the " System " value to exclude events containing
the “ System” instead of an account name in the “ Who” column.

TIP: In addition to the restrictions for a monitoring plan, you can use the
*.txt files to collect more granular audit data. Note that the new
monitoring scope restrictions apply together with previous
exclusion settings configured in the *.txt files. Review the
following for more information: Exclude Objects from Monitoring
Scope

Review your data source settings and click Add to go back to your plan. The newly created data source will
appear in the Data source list. As a next step, click Add item to specify an object for monitoring. See Add
Items for Monitoring for more information.

NOTE: Netwrix Auditor supports auditing of DFS and clustered file servers if Object Access Auditing is
enabled on DFS file shares or on every cluster node.

l When adding a cluster file server for auditing, it is recommended to specify a server name of
the Role server or a UNC path of the shared folder located on the Role server.

l When adding a DFS file share for auditing, specify a Windows file share item and provide the
UNC path of the whole namespace or UNC path of the DFS link (folder). For example:

l "\\domain\dfsnamespace\" (domain-based namespace) or


"\\server\dfsnamespace\" (in case of stand-alone namespace);

l "\\domain\dfsnamespace\link" (domain-based namespace) or


"\\server\dfsnamespace\link" (in case of stand-alone namespace).

l For recommendations on configuring DFS replication, refer to this Knowledge Base article.

45/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

4.2.8. Logon Activity


Complete the following fields:

Option Description

General

Monitor this data source and Enable monitoring of the selected data source and configure Netwrix
collect activity data Auditor to collect and store audit data.

Fine-tune logon activity Specify interval for Netwrix Auditor to collect data on logon activity
monitoring and add successful non-interactive logons to your auditing scope, if
necessary.

Specify data collection method You can enable network traffic compression. If enabled, a
Compression Service will be automatically launched on the audited
computer, collecting and prefiltering data. This significantly improves
data transfer and minimizes the impact on the target computer
performance.

Configure audit settings You can adjust audit settings automatically. Your current audit
settings will be checked on each data collection and adjusted if
necessary.

NOTE: This method is recommended for evaluation purposes in test


environments. If any conflicts are detected with your current
audit settings, automatic audit configuration will not be
performed.

Do not select the checkbox if you want to configure audit settings


manually. For a full list of audit settings required to collect
comprehensive audit data and instructions on how to configure
them, refer to Netwrix Auditor Installation and Configuration Guide.

Users

Specify monitoring restrictions Select the users to be excluded from search results, reports and
Activity Summaries. To add users to the list, click Add. Then, provide
the user name in the domain\user format. For example:
mydomain\user1. Consider the following:

l Use NetBIOS domain name format.

l You can provide the " System " value to exclude events
containing the “ System ” instead of an account name in the
“ Who” column.

46/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

Option Description

TIP: In addition to the restrictions for a monitoring plan, you can use
the *.txt files to collect more granular audit data. Note that
the new monitoring scope restrictions apply together with
previous exclusion settings configured in the *.txt files.
Review the following for more information: Exclude Objects
from Monitoring Scope

Review your data source settings and click Add to go back to your plan. The newly created data source will
appear in the Data source list. As a next step, click Add item to specify an object for monitoring. See Add
Items for Monitoring for more information.

4.2.9. Network Devices


Complete the following fields:

Option Description

Monitor this data source and Enable monitoring of the selected data source and configure Netwrix
collect activity data Auditor to collect and store audit data.

Specify actions for monitoring Specify monitoring rules for your network devices.

Specify port and protocol for Use Port and Protocol to provide the port required for incoming
incoming connections connections (default is UDP port 514 ).

4.2.10. Oracle Database


Complete the following fields:

Option Description

General

Monitor this data source and Enable monitoring of the selected data source and configure Netwrix
collect activity data Auditor to collect and store audit data.

Monitor Oracle Database logon Specify what types of logon events you want to monitor:
activity
l Failed logons

l Successful logons

l Logoffs

47/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

Option Description

Users

Specify users to track their Use controls in this section to populate the corresponding lists -click
activity Add and specify user name and type (OS or database user).

l Include—Add users to be included in the auditing scope.

l Exclude —Add users to be excluded from the auditing scope by


specifying their names and type (OS or database user).

NOTE: User names are case-sensitive.

Database Objects

Data objects to monitor Create rules for objects and actions that you want to audit:

1. Click Add Rule.

2. Specify a name of the Oracle database Object or Schema .

3. Select the necessary actions (successful or failed changes,


successful or failed reads).

4. Click Add.

NOTE: Schema and object names are case sensitive.

Review your data source settings and click Add to go back to your plan. The newly created data source will
appear in the Data source list. As a next step, click Add item to specify an object for monitoring. See Add
Items for Monitoring for more information.

4.2.11. SharePoint
Complete the following fields:

Option Description

Monitor this data source and Enable monitoring of the selected data source and configure Netwrix
collect activity data Auditor to collect and store audit data.

Detect additional details Specify additional information to include in reports and activity
summaries. Select Group membershipif you want to include Group
membership of the account under which the change was made.

Configure audit settings You can adjust audit settings automatically. Your current audit
settings will be checked on each data collection and adjusted if

48/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

Option Description

necessary.

NOTE: This method is recommended for evaluation purposes in test


environments. If any conflicts are detected with your current
audit settings, automatic audit configuration will not be
performed.

Do not select the checkbox if you want to configure audit settings


manually. For a full list of audit settings required to collect
comprehensive audit data and instructions on how to configure
them, refer to Netwrix Auditor Installation and Configuration Guide.

Collect data for state- in- time Configure Netwrix Auditor to store daily snapshots of your system
reports configuration required for further state-in-time reports generation.
See Netwrix Auditor Intelligence Guide for more information.

In the Manage historical snapshots section, you can click Manage


and select the snapshots that you want to import to the Audit
Database to generate a report on the data source's state at the
specific moment in the past.

NOTE: You must be assigned the Global administrator or the


Global reviewer role to import snapshots.

Move the selected snapshots to the Snapshots available for


reporting list using the arrow button.

NOTE: The product updates the latest snapshot on the regular basis
to keep users up to date on actual system state. Only the
latest snapshot is available for reporting in Netwrix Auditor. If
you want to generate reports based on different snapshots,
you must import snapshots to the Audit Database.

Review your data source settings and click Add to go back to your plan. The newly created data source will
appear in the Data source list. As a next step, click Add item to specify an object for monitoring. See Add
Items for Monitoring for more information.

4.2.12. SharePoint Online


Complete the following fields:

Option Description

Monitor this data source and Enable monitoring of the selected data source and configure Netwrix

49/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

Option Description

collect activity data Auditor to collect and store audit data.

Audit SharePoint Online Configuration and content changes are always audited.
configuration and content
changes

Audit SharePoint Online read Configure Netwrix Auditor to monitor SharePoint Online read access.
access

Collect data for state-in-time Configure Netwrix Auditor to store daily snapshots of your
reports SharePoint Online configuration required for further state-in-time
reports generation. See State–in–Time Reports for more
information.

The product updates the latest snapshot on the regular basis to


keep users up-to-date on actual system state. Only the latest
snapshot is available for reporting in Netwrix Auditor.

If you want to generate reports based on different snapshots, you


must import snapshots to the Audit Database.

For that, in the Manage historical snapshots section, click Manage


and select the snapshots that you want to import.

NOTE: To import snapshots, you must be assigned the Global


administrator or the Global reviewer role .

Move the selected snapshots to the Snapshots available for


reporting list using the arrow button. When finished, click OK .

Review your data source settings and click Add to go back to your plan. The newly created data source will
appear in the Data source list. As a next step, click Add item to specify an object for monitoring. See Add
Items for Monitoring for more information.

4.2.13. SQL Server


Complete the following fields:

Option Description

General

Monitor this data source and Enable monitoring of the selected data source and configure Netwrix
collect activity data Auditor to collect and store audit data.

50/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

Option Description

Audit SQL Server configuration SQL Server configuration changes are always audited.
changes

Monitor SQL Server logon Specify what types of logon events you want to monitor: successful
activity or failed, performed through Windows and SQL authentication.

l Failed SQL and Windows logons

l Successful SQL logons

l Successful Windows logons

Users

Specify users to track their Specify restriction filters to narrow your SQL Server monitoring
activity scope (search results, reports and Activity Summaries). You can
create either inclusion or exclusion lists. For example, include
information on actions performed by administrative accounts or
exclude activity initiated by ordinary applications. All filters are
applied using AND logic. Complete the following fields:

l User – provide the user name as shown in the "Who" column of


reports and Activity Summaries. Example: mydomain\user1.

TIP: You can provide the "System " value for events containing
the “ System ” instead of an account name in the “ Who”
column.

l Workstation where activity was initiated – provide the


workstation name as shown in the " Workstation " column of
reports and Activity Summaries. Example: StationWin2016.

l Application that initiated the activity – provide the


application name as shown next to " Application name " in
details of reports and Activity Summaries.

NOTE: You can use a wildcard (*) to replace any number of


characters in filters.

TIP: In addition to the restrictions for a monitoring plan, you can use
the *.txt files to collect more granular audit data. Note that
the new monitoring scope restrictions apply together with
previous exclusion settings configured in the *.txt files.
Review the following for more information: Exclude Objects
from Monitoring Scope

51/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

Option Description

Data

Monitor changes to data in the Enable monitoring of changes to data stored in the database tables
database tables hosted on the SQL Server.

Changes (per transaction) to Specify how many changes per a database transaction you want to
collect and report: be collected. For example, you can limit this number to 10 changes
per transaction, or collect all changes.

NOTE: It is recommended to adjust this setting carefully, as


collecting large number of changes from a highly-
transactional server may affect its performance.

Monitoring rules Create rules for the data to be audited and therefore to receive
change reports on the selected data only. Set the number of data
changes per SQL transaction to be included in reports. In this case
Netwrix Auditor-specific data will be written to the audited tables.
Click Add Rule to create columns auditing rules and configure the
following:

l Type—Select rule type: inclusive or exclusive.

l Server —Specify a name of the SQL Server instance where the


database resides.

l Database—Specify database name.

l Table—Specify table name.

l Column—Specify column name.

NOTE: The following column types are currently not


supported: text, ntext, image, binary,
varbinary, timestamp, sql_variant.

NOTE: Wildcard (*) is supported.

Review your data source settings and click Add to go back to your plan. The newly created data source will
appear in the Data source list. As a next step, click Add item to specify an object for monitoring. See Add
Items for Monitoring for more information.

4.2.14. User Activity


Complete the following fields:

52/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

Option Description

General

Monitor this data source and collect Enable monitoring of the selected data source and configure
activity data Netwrix Auditor to collect and store audit data.

Notify users about activity You can enable the message that will be displayed when a user
monitoring logs in and specify the message text.

Record video of user activity within When enabled, the product records video in addition to user
sessions sessions events collection. This option is disabled by default.

Video Recording

NOTE: For these settings to become effective, enable video recording on the General tab.

Adjust video quality Optimize video file by adjusting the following:

l File size and video quality

l Save video in grayscale

l CPU load and Video smoothness.

Adjust video duration Limit video file length by adjusting the following:

l Recording lasts for <...> minutes—Video recording will


be stopped after the selected time period.

l User has been idle for <...> minutes—Video recording


will be stopped if a user is considered inactive during the
selected time period.

NOTE: If the Record video of user activity within


sessions option is enabled, the User Sessions
report shows active time calculated without
including user idle period. Mind that a computer is
considered to be idle by Windows if there has not
been user interaction via the mouse or keyboard
for a given time and if the hard drives and
processors have been idle more than 90% of that
time.

l Free disk space is less than <...> MB —Video recording


will be stopped when upon reaching selected disk space
limit.

Set a retention period to clear stale When the selected retention period is over, Netwrix Auditor

53/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

Option Description

videos deletes your video recordings.

Users

Specify users to track their activity Select the users whose activity should be recorded. You can
select All users or create a list of Specific users or user
groups. Certain users can also be added to Exceptions list.

Applications

Specify applications you want to Select the applications that you want to monitor. You can select
track All applications or create a list of Specific applications .
Certain applications can also be added to Exceptions list.

Monitored Computers

For a newly created monitoring plan for User Activity, the list of monitored computers is empty. Add
items to your monitoring plan and wait until Netwrix Auditor retrieves all computers within these items.
See Add Items for Monitoring for more information. The list contains computer name, its current status
and last activity time.

Review your data source settings and click Add to go back to your plan. The newly created data source will
appear in the Data source list. As a next step, click Add item to specify an object for monitoring. See Add
Items for Monitoring for more information.

4.2.15. VMware
For this data source, specify the options you need:

Option Description

Monitor this data source and Enable monitoring of the selected data source and configure Netwrix
collect activity data Auditor to collect and store audit data.

Monitor VMware configuration Configuration changes are always monitored for VMware data
changes source. See this section for details.

Monitor VMware logon activity Specify what types of logon events you want to monitor for VMware
infrastructure.

Review your data source settings and click Add to go back to your plan. The newly created data source will
appear in the Data source list. As a next step, click Add item to specify an object for monitoring. See Add
Items for Monitoring for more information.

54/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

4.2.16. Windows Server


Complete the following fields:

Option Description

General

Monitor this data source and Enable monitoring of the selected data source and configure Netwrix
collect activity data Auditor to collect and store audit data.

Monitor changes to system Select the system components that you want to audit for changes.
components Review the following for additional information:

l General computer settings — Enables auditing of general


computer settings. For example, computer name or workgroup
changes.

l Hardware — Enables auditing of hardware devices


configuration. For example, your network adapter
configuration changes.

l Add/Remove programs — Enables auditing of installed and


removed programs. For example, Microsoft Office package
has been removed from the audited Windows Server.

l Services — Enables auditing of started/stopped services. For


example, the Windows Firewall service stopped.

l Audit policies — Enables auditing of local advanced audit


policies configuration. For example, the Audit User Account
Management advanced audit policy is set to "Failure ".

l DHCP configuration—Enables auditing of DHCP configuration


changes.

l Scheduled tasks — Enables auditing of enabled / disabled /


modified scheduled tasks. For example, the
GoogleUpdateTaskMachineUA scheduled task trigger
changes.

l Local users and groups—Enables auditing of local users and


groups. For example, an unknown user was added to the
Administrators group.

l DNS configuration — Enables auditing of your


DNS configuration changes. For example, your DNS security
parameters' changes.

l DNS resource records—Enables auditing of all types of DNS

55/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

Option Description

resource records. For example, A- type resource records


(Address record) changes.

l File shares—Enables auditing of created / removed / modified


file shares and their properties. For example, a new file share
was created on the audited Windows Server.

l Removable media — Enables auditing of USB thumb drives


insertion.

Specify data collection method You can enable network traffic compression. If enabled, a
Compression Service will be automatically launched on the audited
computer, collecting and prefiltering data. This significantly improves
data transfer and minimizes the impact on the target computer
performance.

Configure audit settings You can adjust audit settings automatically. Your current audit
settings will be checked on each data collection and adjusted if
necessary.

NOTE: This method is recommended for evaluation purposes in test


environments. If any conflicts are detected with your current
audit settings, automatic audit configuration will not be
performed.

Do not select the checkbox if you want to configure audit settings


manually. For a full list of audit settings required to collect
comprehensive audit data and instructions on how to configure
them, refer to Netwrix Auditor Installation and Configuration Guide.

Collect data for state- in- time Configure Netwrix Auditor to store daily snapshots of your system
reports configuration required for further state-in-time reports generation.
See Netwrix Auditor Intelligence Guide for more information.

In the Manage historical snapshots section, you can click Manage


and select the snapshots that you want to import to the Audit
Database to generate a report on the data source's state at the
specific moment in the past.

NOTE: You must be assigned the Global administrator or the


Global reviewer role to import snapshots.

Move the selected snapshots to the Snapshots available for


reporting list using the arrow button.

56/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

Option Description

NOTE: The product updates the latest snapshot on the regular basis
to keep users up to date on actual system state. Only the
latest snapshot is available for reporting in Netwrix Auditor. If
you want to generate reports based on different snapshots,
you must import snapshots to the Audit Database.

Activity

Specify monitoring restrictions Specify restriction filters to narrow your Windows Server monitoring
scope (search results, reports and Activity Summaries). For example,
you can exclude system activity on a particular objects on all
computers. All filters are applied using AND logic. Click Add and
complete the following fields:

l User who initiated the change: – provide the name of the


user whose changes you want to ignore as shown in the "Who"
column of reports and Activity Summaries. Example:
mydomain\user1.

TIP: You can provide the " System " value to exclude events
containing the “ System ” instead of an account name in
the “ Who” column.

l Windows Server which setting was changed: – provide the


name of the server in your IT infrastructure whose changes you
want to ignore as shown in the "What" column of reports and
Activity Summaries. Example: winsrv2016-01.mydomain.local.

l Setting changed: – provide the name for unwanted settings as


shown in the "What" column in reports and Activity Summaries.
Example: System Properties*.

NOTE: You can use a wildcard (*) to replace any number of


characters in filters.

TIP: In addition to the restrictions for a monitoring plan, you can use
the *.txt files to collect more granular audit data. Note that
the new monitoring scope restrictions apply together with
previous exclusion settings configured in the *.txt files.
Review the following for more information: Exclude Objects
from Monitoring Scope

Review your data source settings and click Add to go back to your plan. The newly created data source will
appear in the Data source list. As a next step, click Add item to specify an object for monitoring. See Add
Items for Monitoring for more information.

57/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

4.2.17. Netwrix API


Netwrix API is a special data source for the data received through Netwrix Auditor Integration API. By
default, all imported data is written to a special Netwrix_ Auditor_ API database and recognized as the
Netwrix API data source. This data is not associated with any monitoring plan.

If you want to associate data from your custom data source or SIEM solution with a certain plan, add a
Netwrix API data source to your plan and mark the plan name in activity records before import. In this
case, data will be written to the database linked to your monitoring plan. This can be helpful:

l If you need to restrict access to imported data. In this case only the users who are granted
permissions to see the plan data will get access to imported activity records.

l If you want to simplify your search. In this case, you will be able to specify filters, such as Monitoring
plan and Data source, and find the imported activity records faster.

l If you want to use Netwrix Auditor as intermediate solution in your monitoring routine. In this case,
you will be able to export previously imported data.

NOTE: The account used to import activity records must be assigned a special Contributor role. See Role-
Based Access and Delegation for more information.

Complete the following fields:

Option Description

Monitor this data source and Enable monitoring of the selected data source and configure Netwrix
collect activity data Auditor to collect and store audit data.

NOTE: If monitoring is disabled, you will not be able to import


activity records to database linked to your monitoring plan.

To further diversify your data, add Integration items to your Netwrix API data source. See Integration for
more information.

NOTE: Make sure Integration API is enabled. To check it, navigate to Settings → Integrations tab. See
Integrations for more information.

Make sure to provide a monitoring plan name in activity records before importing data. See
Netwrix Auditor Integration API Guide for detailed instructions on API commands and Activity
Record structure.

4.3. Add Items for Monitoring


Once you completed monitoring plan wizard and specified data sources, add items for monitoring. You can
add as many items for a data source as you want. In this case, all items will share settings you specified for
this data source.

58/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

Each data source has a dedicated item type. Netwrix Auditor automatically suggests item types associated
with your data source.

Data Source Item

Active Directory Domain

Group Policy

Exchange

Logon Activity

Active Directory Federation Federation Server


Services

Azure AD Office 365 Tenant

Exchange Online

SharePoint Online

File Servers AD Container

(including Windows file Computer


server, EMC, NetApp,
EMC Isilon
Nutanix File server)
EMC VNX/VNXe/Unity

IP Range

NetApp

Windows File Share

Nutanix SMB Shares

NOTE: By default, Netwrix Auditor will monitor all shares stored in the
specified location, except for hidden shares (both default and
user-defined). If you want to monitor user-defined hidden
shares, select the related option in the monitored item settings.

Remember that administrative hidden shares like default system root


or Windows directory (ADMIN$), default drive shares (D$, E$), etc. will
not be monitored. See the topics on the monitored items for details.

Network Devices Computer

IP Range

Oracle Database Oracle Database Instance

SharePoint SharePoint Farm

59/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

Data Source Item

SQL Server SQL Server Instance

VMware VMware ESX/ESXi/vCenter

Windows Server Computer

User Activity AD Container

IP Range

Netwrix API Integration

NOTE: To add, modify and remove items, you must be assigned the Global administrator role in the
product or the Configurator role on the plan. See Role-Based Access and Delegation for more
information.

To add a new item to a data source

1. Navigate to your plan settings.

2. Click Add item under the data source.

3. Provide the object name and configure item settings.

You can fine-tune data collection for each item individually. To do it, select an item within your monitoring
plan and click Edit item. For each item, you can:

l Specify a custom account for data collection

l Customize settings specific your item (e.g., specify SharePoint site collections)

4.3.1. AD Container
Complete the following fields:

Option Description

General

Specify AD container Specify a whole AD domain, OU or container. Click Browse to select


from the list of containers in your network. You can also:

l Select a particular computer type to be audited within the


chosen AD container: Domain controllers, Servers
(excluding domain controllers), or Workstations.

l Click Exclude to specify AD domains, OUs, and containers you

60/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

Option Description

do not want to audit. In the Exclude Containers dialog, click


Add and specify an object.

NOTE: The list of containers does not include child domains of


trusted domains. Use other options (Computer, IP range to
specify the target computers.

Specify the account for Select the account that will be used to collect data for this item. If
collecting data you want to use a specific account (other than the one you specified
during monitoring plan creation), select Custom account and enter
credentials. The credentials are case sensitive.

NOTE: A custom account must be granted the same permissions


and access rights as the default account used for data
collection. See Netwrix Auditor Installation and Configuration
Guide for more information.

Containers and Computers

Monitor hidden shares By default, Netwrix Auditor will monitor all shares stored in the
specified location, except for hidden shares (both default and user-
defined). Select Monitor user-defined hidden shares if necessary.

IMPORTANT! Even when this option is selected, the product will not
collect data from administrative hidden shares such as:
default system root or Windows directory (ADMIN$), default
drive shares (D$, E$, etc.), shares used by printers to enable
remote administration (PRINT$), etc.

Specify monitoring restrictions Specify restriction filters to narrow your monitoring scope (search
results, reports and Activity Summaries). All filters are applied using
AND logic.

Depending on the type of the object you want to exclude, select one
of the following:

l Add AD Container – browse for a container to be excluded


from being audited. You can select a whole AD domain, OU or
container.

l Add Computer – Provide the name of the computer you want


to exclude as shown in the "Where " column of reports and
Activity Summaries. For example, backupsrv01.mydomain.local.

61/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

Option Description

NOTE: Wildcards (*) are not supported.

TIP: In addition to the restrictions for a monitoring plan, you can use
the *.txt files to collect more granular audit data. Note that
the new monitoring scope restrictions apply together with
previous exclusion settings configured in the *.txt files.
Review the following for more information: Exclude Objects
from Monitoring Scope

4.3.2. Computer
Complete the following fields:

Option Description

General

Specify a computer Provide a server name by entering its FQDN, NETBIOS or IPv4
address. You can click Browse to select a computer from the list of
computers in your network.

Specify the account for Select the account that will be used to collect data for this item. If
collecting data you want to use a specific account (other than the one you specified
during monitoring plan creation), select Custom account and enter
credentials. The credentials are case sensitive.

NOTE: A custom account must be granted the same permissions


and access rights as the default account used for data
collection. See Netwrix Auditor Installation and Configuration
Guide for more information.

Scope

Monitor hidden file shares By default, Netwrix Auditor will monitor all shares stored in the
specified location, except for hidden shares (both default and user-
defined). Select Monitor user-defined hidden shares if necessary.

IMPORTANT! Even when this option is selected, the product will not
collect data from administrative hidden shares such as:
default system root or Windows directory (ADMIN$), default
drive shares (D$, E$, etc.), shares used by printers to enable
remote administration (PRINT$), etc.

62/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

Option Description

Specify monitoring restrictions Specify restriction filters to narrow your monitoring scope (search
results, reports and Activity Summaries). All filters are applied using
AND logic.

Refer to Configure Scope for detailed instructions on how to


narrow your monitoring scope.

4.3.2.1. Configure Scope


You can narrow your monitoring scope by adding exclusions.

ьTo add exclusion, click Add and do the following:

1. Provide the path to the file share where you are going to exclude some audit data. Path format: as
shown in the "What" column in reports and Activity Summaries. For example: \\corpsrv\shared.

NOTE: Applies onto selected folder, its subfolders and files.

When excluding user activity on a file share, use a wildcard (*) to replace any number of
characters in the path. In other cases, wildcards are not supported.

2. Select what type of data you want to exclude:

l All Data – select to completely exclude this file share from being audited. In this case, the
product does not collect any user activity and state-in-time data.

NOTE: When selected, Netwrix Auditor does not adjust audit settings automatically for the
selected folders.

Example: a Security Officer wants to monitor a file share but s/he does not have access to a
certain folder on this share. Then, s/he does not want the product to monitor this folder at all.

l User Activity – select to exclude actions performed by specific user accounts on the selected file
share.

Example: a Security Officer wants to monitor a file share that contains a public folder for which
s/he does not want to collect reads.

NOTE: When selected, the product still collects stat-in-time data for this share.

To exclude user activity:

1. Select All Users to exclude the activity of any user on the selected file share

OR

63/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

Create lists of specific users to exclude their activity. For that, under These users: provide
user names as shown in the " Who " column in reports and Activity Summaries. For
example, MyDomain\user1.

2. Select actions to exclude – you can exclude all actions of the selected users or create a list
of specific actions. For that, under These actions: select the appropriate.

l State-in-Time – select to configure Netwrix Auditor to exclude data for the state-in-time reports
from the monitoring scope.

Example: a Security Officer wants to monitor a file share, but it contains a folder with a huge
amount of objects, so s/he does not want Netwrix Auditor to collect State-in-Time data for this
folder.

4.3.3. Domain
Complete the following fields:

Option Description

Specify Active Directory domain Specify the audited domain name in the FQDN format. For example,
"company.local".

Specify the account for Select the account that will be used to collect data for this item. If
collecting data you want to use a specific account (other than the one you specified
during monitoring plan creation), select Custom account and enter
credentials. The credentials are case sensitive.

NOTE: A custom account must be granted the same permissions


and access rights as the default account used for data
collection. See Netwrix Auditor Installation and Configuration
Guide for more information.

4.3.4. Federation Server


NOTE: If you are going to audit an entire AD FS farm, consider adding all AD FS server one by one as items
to your monitoring plan. Otherwise, your audit scope may contain warnings, errors or incomplete
data.

Complete the following fields:

Option Description

Specify AD FS federation server Provide a server name by entering its FQDN, NETBIOS or IPv4
address. You can click Browse to select a computer from the list of

64/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

Option Description

computers in your network.

Specify the account for Select the account that will be used to collect data for this item. If
collecting data you want to use a specific account (other than the one you specified
during monitoring plan creation), select Custom account and enter
credentials. The credentials are case sensitive.

NOTE: A custom account must be granted the same permissions


and access rights as the default account used for data
collection. See Netwrix Auditor Installation and Configuration
Guide for more information.

4.3.5. EMC Isilon


Complete the following fields:

Option Description

General

Specify EMC Isilon storage array Provide the IP address or the host name of the name server used to
connect to your access zone. For example, account.corp.lab

Access Zone Enter the name of access zone partition within your EMC Isilon
cluster. For example, zone_account

OneFS web administration Enter EMC Isilon web administration URL (e.g.,
interface URL https://isiloncluster.corp.lab:8080 ). This URL is used to get
configuration details about your Isilon cluster via OneFS API.

File Share UNC path to audit Path to the file share located on a EMC Isilon with event log files (e.g.,
logs \\srv\netwrix_audit$\logs\).

Specify the account for Select the account that will be used to collect data for this item. If
collecting data you want to use a specific account (other than the one you specified
during monitoring plan creation), select Custom account and enter
credentials. The credentials are case sensitive.

NOTE: A custom account must be granted the same permissions


and access rights as the default account used for data
collection. See Netwrix Auditor Installation and Configuration
Guide for more information.

65/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

Option Description

Scope

Specify monitoring restrictions Specify restriction filters to narrow your monitoring scope (search
results, reports and Activity Summaries). All filters are applied using
AND logic.

Refer to Configure the Scope for detailed instructions on how to


narrow your monitoring scope.

TIP: In addition to the restrictions for a monitoring plan, you can use
the *.txt files to collect more granular audit data. Note that
the new monitoring scope restrictions apply together with
previous exclusion settings configured in the *.txt files.
Review the following for more information: Exclude Objects
from Monitoring Scope

4.3.5.1. Configure the Scope


You can configure Netwrix Auditor to audit all file shares except for ones added as exclusions. For that,
under Specify monitoring restrictions, select All file shares in the array . You can also create lists of
specific file shares to include and/or exclude from being audited. Review the following for additional
information:

l To add inclusion

l To add exclusion

To add inclusion

1. Under Specify monitoring restrictions, select Specific file shares.

2. Click Add Inclusion.

3. Provide UNC path to a shared resource. For example: NewStation\Shared.

NOTE: Do not specify a default file share mapped to a local drive (e.g., \\Server\e$).

To add exclusion

ьTo add exclusion, click Add and do the following:

1. Provide the path to the file share where you are going to exclude some audit data. Path format: as
shown in the "What" column in reports and Activity Summaries. For example: \\corpsrv\shared.

NOTE: Applies onto selected folder, its subfolders and files.

66/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

When excluding user activity on a file share, use a wildcard (*) to replace any number of
characters in the path. In other cases, wildcards are not supported.

2. Select what type of data you want to exclude:

l All Data – select to completely exclude this file share from being audited. In this case, the
product does not collect any user activity and state-in-time data.

NOTE: When selected, Netwrix Auditor does not adjust audit settings automatically for the
selected folders.

Example: a Security Officer wants to monitor a file share but s/he does not have access to a
certain folder on this share. Then, s/he does not want the product to monitor this folder at all.

l User Activity – select to exclude actions performed by specific user accounts on the selected file
share.

Example: a Security Officer wants to monitor a file share that contains a public folder for which
s/he does not want to collect reads.

NOTE: When selected, the product still collects stat-in-time data for this share.

To exclude user activity:

1. Select All Users to exclude the activity of any user on the selected file share

OR

Create lists of specific users to exclude their activity. For that, under These users: provide
user names as shown in the " Who " column in reports and Activity Summaries. For
example, MyDomain\user1.

2. Select actions to exclude – you can exclude all actions of the selected users or create a list
of specific actions. For that, under These actions: select the appropriate.

l State-in-Time – select to configure Netwrix Auditor to exclude data for the state-in-time reports
from the monitoring scope.

Example: a Security Officer wants to monitor a file share, but it contains a folder with a huge
amount of objects, so s/he does not want Netwrix Auditor to collect State-in-Time data for this
folder.

4.3.6. EMC VNX/VNXe/Unity


Complete the following fields:

Option Description

General

67/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

Option Description

Specify EMC VNX, VNXe or Unity Provide a server name by entering its FQDN, NETBIOS or IPv4
storage array address. You can click Browse to select a computer from the list of
computers in your network.

Specify the account for Select the account that will be used to collect data for this item. If
collecting data you want to use a specific account (other than the one you specified
during monitoring plan creation), select Custom account and enter
credentials. The credentials are case sensitive.

NOTE: A custom account must be granted the same permissions


and access rights as the default account used for data
collection. See Netwrix Auditor Installation and Configuration
Guide for more information.

Scope

Monitor hidden shares By default, Netwrix Auditor will monitor all shares stored in the
specified location, except for hidden shares (both default and user-
defined). Select Monitor user-defined hidden shares if necessary.

IMPORTANT! Even when this option is selected, the product will not
collect data from administrative hidden shares such as:
default system root or Windows directory (ADMIN$), default
drive shares (D$, E$, etc.), shares used by printers to enable
remote administration (PRINT$), etc.

Specify monitoring restrictions Specify restriction filters to narrow your monitoring scope (search
results, reports and Activity Summaries). All filters are applied using
AND logic.

Refer to Configure the Scope for detailed instructions on how to


narrow your monitoring scope.

TIP: In addition to the restrictions for a monitoring plan, you can use
the *.txt files to collect more granular audit data. Note that
the new monitoring scope restrictions apply together with
previous exclusion settings configured in the *.txt files.
Review the following for more information: Exclude Objects
from Monitoring Scope

4.3.6.1. Configure the Scope


You can configure Netwrix Auditor to audit all file shares except for ones added as exclusions. For that,
under Specify monitoring restrictions, select All file shares in the array . You can also create lists of

68/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

specific file shares to include and/or exclude from being audited. Review the following for additional
information:

l To add inclusion

l To add exclusion

To add inclusion

1. Under Specify monitoring restrictions, select Specific file shares.

2. Click Add Inclusion.

3. Provide UNC path to a shared resource. For example: NewStation\Shared.

NOTE: Do not specify a default file share mapped to a local drive (e.g., \\Server\e$).

To add exclusion

ьTo add exclusion, click Add and do the following:

1. Provide the path to the file share where you are going to exclude some audit data. Path format: as
shown in the "What" column in reports and Activity Summaries. For example: \\corpsrv\shared.

NOTE: Applies onto selected folder, its subfolders and files.

When excluding user activity on a file share, use a wildcard (*) to replace any number of
characters in the path. In other cases, wildcards are not supported.

2. Select what type of data you want to exclude:

l All Data – select to completely exclude this file share from being audited. In this case, the
product does not collect any user activity and state-in-time data.

NOTE: When selected, Netwrix Auditor does not adjust audit settings automatically for the
selected folders.

Example: a Security Officer wants to monitor a file share but s/he does not have access to a
certain folder on this share. Then, s/he does not want the product to monitor this folder at all.

l User Activity – select to exclude actions performed by specific user accounts on the selected file
share.

Example: a Security Officer wants to monitor a file share that contains a public folder for which
s/he does not want to collect reads.

NOTE: When selected, the product still collects stat-in-time data for this share.

69/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

To exclude user activity:

1. Select All Users to exclude the activity of any user on the selected file share

OR

Create lists of specific users to exclude their activity. For that, under These users: provide
user names as shown in the " Who " column in reports and Activity Summaries. For
example, MyDomain\user1.

2. Select actions to exclude – you can exclude all actions of the selected users or create a list
of specific actions. For that, under These actions: select the appropriate.

l State-in-Time – select to configure Netwrix Auditor to exclude data for the state-in-time reports
from the monitoring scope.

Example: a Security Officer wants to monitor a file share, but it contains a folder with a huge
amount of objects, so s/he does not want Netwrix Auditor to collect State-in-Time data for this
folder.

4.3.7. IP Range
Complete the following fields:

Option Description

General

Specify IP range Specify an IP range for the audited computers.

To exclude computers from within the specified range, click Exclude .


Enter the IP subrange you want to exclude, and click Add.

Specify the account for Select the account that will be used to collect data for this item. If
collecting data you want to use a specific account (other than the one you specified
during monitoring plan creation), select Custom account and enter
credentials. The credentials are case sensitive.

NOTE: A custom account must be granted the same permissions


and access rights as the default account used for data
collection. See Netwrix Auditor Installation and Configuration
Guide for more information.

Scope

Monitor hidden shares By default, Netwrix Auditor will monitor all shares stored in the
specified location, except for hidden shares (both default and user-
defined). Select Monitor user-defined hidden shares if necessary.

70/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

Option Description

IMPORTANT! Even when this option is selected, the product will not
collect data from administrative hidden shares such as:
default system root or Windows directory (ADMIN$), default
drive shares (D$, E$, etc.), shares used by printers to enable
remote administration (PRINT$), etc.

4.3.8. NetApp
Complete the following fields:

Option Description

General

Specify NetApp file server Provide a server name by entering its FQDN, NETBIOS or IPv4
address. You can click Browse to select a computer from the list of
computers in your network.

File share UNC path to audit Select one of the following:


logs
l Detect automatically—If selected, a shared resource will be
detected automatically.

l Use this path—UNC path to the file share located on a NetApp


Filer with event log files (e.g., \\CORP\ETC$\log\).

Specify the account for Select the account that will be used to collect data for this item. If
collecting data you want to use a specific account (other than the one you specified
during monitoring plan creation), select Custom account and enter
credentials. The credentials are case sensitive.

NOTE: A custom account must be granted the same permissions


and access rights as the default account used for data
collection. See Netwrix Auditor Installation and Configuration
Guide for more information.

ONTAPI

Specify protocol for accessing Select one of the following:


ONTAPI
l Detect automatically—If selected, a connection protocol will
be detected automatically.

l HTTP

71/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

Option Description

l HTTPS

NOTE: Refer to Netwrix Auditor Installation and Configuration Guide


for detailed instructions on how to enable HTTP or HTTPS
admin access.

Specify management interface Select management interface to connect to ONTAPI. If you want to
use custom management interface for ONTAPI, select Custom and
provide a server name by entering its FQDN, NETBIOS or IP address.

Specify account for connecting Select an account to connect to NetApp and collect data through
to ONTAPI ONTAPI. If you want to use a specific account (other than the one
you specified on the General tab), select Custom and enter
credentials. The credentials are case sensitive.

Take into consideration that even if a custom account is specified,


the account selected on the General tab must be a member of the
Builtin\Administrators group and have sufficient permissions to
access audit logs shared folder and audited shares.

NOTE: See Netwrix Auditor Installation and Configuration Guide for


more information on required rights and permissions.

Scope

Monitor hidden shares By default, Netwrix Auditor will monitor all shares stored in the
specified location, except for hidden shares (both default and user-
defined). Select Monitor user-defined hidden shares if necessary.

IMPORTANT! Even when this option is selected, the product will not
collect data from administrative hidden shares such as:
default system root or Windows directory (ADMIN$), default
drive shares (D$, E$, etc.), shares used by printers to enable
remote administration (PRINT$), etc.

NOTE: Monitoring of non-default hidden shares is not supported for


NetApp servers in 7-mode.

Specify monitoring restrictions Specify restriction filters to narrow your monitoring scope (search
results, reports and Activity Summaries). All filters are applied using
AND logic.

Refer to Configure Scope for detailed instructions on how to narrow


your monitoring scope.

72/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

Option Description

TIP: In addition to the restrictions for a monitoring plan, you can use
the *.txt files to collect more granular audit data. Note that
the new monitoring scope restrictions apply together with
previous exclusion settings configured in the *.txt files.
Review the following for more information: Exclude Objects
from Monitoring Scope

4.3.8.1. Configure Scope


You can configure Netwrix Auditor to audit all file shares except for ones added as exclusions. For that,
under Specify monitoring restrictions, select All file shares in the array . You can also create lists of
specific file shares to include and/or exclude from being audited. Review the following for additional
information:

l To add inclusion

l To add exclusion

To add inclusion

1. Under Specify monitoring restrictions, select Specific file shares.

2. Click Add Inclusion.

3. Provide UNC path to a shared resource. For example: NewStation\Shared.

NOTE: Do not specify a default file share mapped to a local drive (e.g., \\Server\e$).

To add exclusion

ьTo add exclusion, click Add and do the following:

1. Provide the path to the file share where you are going to exclude some audit data. Path format: as
shown in the "What" column in reports and Activity Summaries. For example: \\corpsrv\shared.

NOTE: Applies onto selected folder, its subfolders and files.

When excluding user activity on a file share, use a wildcard (*) to replace any number of
characters in the path. In other cases, wildcards are not supported.

2. Select what type of data you want to exclude:

l All Data – select to completely exclude this file share from being audited. In this case, the
product does not collect any user activity and state-in-time data.

73/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

NOTE: When selected, Netwrix Auditor does not adjust audit settings automatically for the
selected folders.

Example: a Security Officer wants to monitor a file share but s/he does not have access to a
certain folder on this share. Then, s/he does not want the product to monitor this folder at all.

l User Activity – select to exclude actions performed by specific user accounts on the selected file
share.

Example: a Security Officer wants to monitor a file share that contains a public folder for which
s/he does not want to collect reads.

NOTE: When selected, the product still collects stat-in-time data for this share.

To exclude user activity:

1. Select All Users to exclude the activity of any user on the selected file share

OR

Create lists of specific users to exclude their activity. For that, under These users: provide
user names as shown in the " Who " column in reports and Activity Summaries. For
example, MyDomain\user1.

2. Select actions to exclude – you can exclude all actions of the selected users or create a list
of specific actions. For that, under These actions: select the appropriate.

l State-in-Time – select to configure Netwrix Auditor to exclude data for the state-in-time reports
from the monitoring scope.

Example: a Security Officer wants to monitor a file share, but it contains a folder with a huge
amount of objects, so s/he does not want Netwrix Auditor to collect State-in-Time data for this
folder.

74/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

4.3.9. Nutanix SMB Shares


Complete the following fields:

Option Description

General

Specify Nutanix File Server Provide a server name by entering its FQDN, NETBIOS or IPv4 address.
You can click Browse to select a computer from the list of computers in
your network.

NOTE: If you need to audit a 3-node cluster, it is recommended to use


FQDN or NETBIOS name.

Specify the account for Select the account that will be used to collect data for this item. If you
collecting data want to use a specific account (other than the one you specified during
monitoring plan creation), select Custom account and enter credentials.

NOTE: A custom account must be granted the same permissions and


access rights as the default account used for data collection. See
Netwrix Auditor Installation and Configuration Guide for more
information.

Specify listening port for Provide the name of the TCP port to listen to notifications on the
incoming connections operations with Nutanix file shares. Default is 9898 .

For details on how to open the port, refer to Open 9898 and 9699 Ports
for Inbound Connections.

Nutanix File Server REST API

Specify account for Specify the account that will be used to connect to Nutanix REST API.
connecting to Nutanix File This account should have sufficient privileges on the Nutanix File Server.
Server REST API For details, refer to Create User Account to Access Nutanix REST API.

Scope

Monitor hidden shares By default, Netwrix Auditor will monitor all shares stored in the specified
location, except for hidden shares (both default and user-defined). Select
Monitor user-defined hidden shares if necessary.

IMPORTANT! Even when this option is selected, the product will not
collect data from administrative hidden shares such as: default
system root or Windows directory (ADMIN$), default drive shares

75/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

Option Description

(D$, E$, etc.), shares used by printers to enable remote


administration (PRINT$), etc.

Specify monitoring Specify restriction filters to narrow your monitoring scope (search
restrictions results, reports and Activity Summaries). All filters are applied using
AND logic.

Refer to Configure Scope for detailed instructions on how to configure


your monitoring scope.

NOTE: Currently, auditing is available for SMB shares only. Auditing of


NFS shares is not supported due to known limitations.

4.3.9.1. Configure Scope


You can configure Netwrix Auditor to audit all file shares except for ones added as exclusions. For that,
under Specify monitoring restrictions, select All file shares in the array . You can also create lists of
specific file shares to include and/or exclude from being audited. Review the following for additional
information:

l To add inclusion

l To add exclusion

To add inclusion

1. Under Specify monitoring restrictions, select Specific file shares.

2. Click Add Inclusion.

3. Provide UNC path to a shared resource. For example: NewStation\Shared.

NOTE: Do not specify a default file share mapped to a local drive (e.g., \\Server\e$).

To add exclusion

ьTo add exclusion, click Add and do the following:

1. Provide the path to the file share where you are going to exclude some audit data. Path format: as
shown in the "What" column in reports and Activity Summaries. For example: \\corpsrv\shared.

NOTE: Applies onto selected folder, its subfolders and files.

When excluding user activity on a file share, use a wildcard (*) to replace any number of
characters in the path. In other cases, wildcards are not supported.

2. Select what type of data you want to exclude:

76/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

l All Data – select to completely exclude this file share from being audited. In this case, the
product does not collect any user activity and state-in-time data.

NOTE: When selected, Netwrix Auditor does not adjust audit settings automatically for the
selected folders.

Example: a Security Officer wants to monitor a file share but s/he does not have access to a
certain folder on this share. Then, s/he does not want the product to monitor this folder at all.

l User Activity – select to exclude actions performed by specific user accounts on the selected file
share.

Example: a Security Officer wants to monitor a file share that contains a public folder for which
s/he does not want to collect reads.

NOTE: When selected, the product still collects stat-in-time data for this share.

To exclude user activity:

1. Select All Users to exclude the activity of any user on the selected file share

OR

Create lists of specific users to exclude their activity. For that, under These users: provide
user names as shown in the " Who " column in reports and Activity Summaries. For
example, MyDomain\user1.

2. Select actions to exclude – you can exclude all actions of the selected users or create a list
of specific actions. For that, under These actions: select the appropriate.

l State-in-Time – select to configure Netwrix Auditor to exclude data for the state-in-time reports
from the monitoring scope.

Example: a Security Officer wants to monitor a file share, but it contains a folder with a huge
amount of objects, so s/he does not want Netwrix Auditor to collect State-in-Time data for this
folder.

4.3.10. Office 365 Tenant


Complete the following fields:

Option Description

Specify Office 365 Account Specify email address and password of your Microsoft account that
will be used to connect to Office 365.

77/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

4.3.11. Oracle Database Instance


Complete the following fields:

Option Description

Connection type Select how the product connects to Oracle Database:

l Oracle Database instance – select if you want to connect to a


database by instance name.

l Oracle Wallet – select if you want to use Oracle Wallet –


password- protected container used to store authentication
and signing credentials, including private keys, certificates, and
trusted certificates needed by SSL.

Instance name Provide connection details in the following format: host:port/service_


name. Make sure audit settings are configured for your Oracle
Database instance.

Wallet alias Provide the alias you set while creating wallet. For example,
"MyOracle ".

NOTE: Alias name in Netwrix Auditor should exactly match the alias
in the tnsnames.ora file. See Configure Oracle Instant
Client for HTTP Proxy Connections for more information.

Specify the account for Select the account that will be used to collect data for this item. If
collecting data you want to use a specific account (other than the one you specified
during monitoring plan creation), select Custom account and enter
NOTE: For Oracle Database credentials. The credentials are case sensitive.
instance connection
type only. NOTE: A custom account must be granted the same permissions
and access rights as the default account used for data
collection. See Netwrix Auditor Installation and Configuration
Guide for more information.

4.3.12. SharePoint Farm


Complete the following fields:

Option Description

General

78/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

Option Description

Specify SharePoint farm for Enter the SharePoint Central Administration website URL.
monitoring

Specify the account for Select the account that will be used to collect data for this item. If
collecting data you want to use a specific account (other than the one you specified
during monitoring plan creation), select Custom account and enter
credentials. The credentials are case sensitive.

NOTE: A custom account must be granted the same permissions


and access rights as the default account used for data
collection. See Netwrix Auditor Installation and Configuration
Guide for more information.

Core Service

Deploy Netwrix Auditor for Select deployment method for the Core Service. Select one of the
SharePoint Core Service following:

l Automatically — The installation will run under the account


used to collect data on the SharePoint farm wizard
completion.

Prior to the Netwrix Auditor for SharePoint Core Service


installation, review the following prerequisites and make sure
that:

l Netwrix Auditor for SharePoint Core Service is going to be


installed on the computer that hosts SharePoint Central
Administration in the audited SharePoint farm.

l .Net Framework 3.5 SP1 is installed on the computer that


hosts SharePoint Central Administration in the audited
SharePoint farm.

l The SharePoint Administration (SPAdminV4) service is


started on the target computer. See Netwrix Auditor
Installation and Configuration Guide for more
information.

l The user that is going to run the Core Service installation:

l Is a member of the local Administrators group on


SharePoint server, where the Core Service will be
deployed.

l Is granted the SharePoint_ Shell_ Access role on


SharePoint SQL Server configuration database. See

79/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

Option Description

Netwrix Auditor Installation and Configuration


Guide for more information.

l Manually—See Netwrix Auditor Installation and Configuration


Guide for more information.

NOTE: During the Netwrix Auditor for SharePoint Core Service


installation / uninstallation your SharePoint sites may be
unavailable.

Changes

Audit SharePoint farm Configuration changes are always audited.


configuration changes

Audit SharePoint permissions Select change types to be audited with Netwrix Auditor.
and content changes
Netwrix Auditor allows auditing the entire SharePoint farm.
Alternatively, you can limit the auditing scope to separate web
applications and site collections. To do it, select Specific SharePoint
objects and do one of the following:

l Click Add, provide the URL to web application or site collection


and select object type (Web application or Site collection).

l Click Import , select object type ( Web application or Site


collection), encoding type, and browse for a file that contains a
list of web applications and sites.

NOTE: Netwrix Auditor ignores changes to system data (e.g., hidden


and system lists or items are not audited). Netwrix Auditor
also ignores the content changes to sites and objects on the
site collections located on Central Administration web
application, but the security changes that occurred there are
tracked and reported anyway.

Activity

Specify monitoring restrictions Specify restriction filters to narrow your SharePoint monitoring
scope (search results, reports and Activity Summaries). For example,
you can exclude site collections document libraries and lists from
being audited as they contain public non sensitive data. All filters are
applied using AND logic. Click Add and complete the following fields:

l User – provide the name of the user as shown in the " Who "

80/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

Option Description

column of reports and Activity Summaries. Example:


mydomain\user1.

l Object URL – provide URL of the objects as shown in the


" What " column of reports and Activity Summaries. Example:
http://sitecollection/list/document.docx.

l Action Type – select what types of actions performed by


selected users under the object you want to monitor. Available
values: All, Changes, Reads.

NOTE: You can use a wildcard (*) to replace any number of


characters in filters.

TIP: In addition to the restrictions for a monitoring plan, you can use
the *.txt files to collect more granular audit data. Note that
the new monitoring scope restrictions apply together with
previous exclusion settings configured in the *.txt files.
Review the following for more information: Exclude Objects
from Monitoring Scope

Read Access

Audit SharePoint read access Configure Netwrix Auditor to track read access to lists and list items
within your SharePoint farm except for Central Administration web
sites. Select Sites only if you want to enable read access auditing on
SharePoint sites only. Enable Sites and subsites to track read access
on each subsite. Then, do one of the following:

l Click Add and provide URL to a SharePoint site.

l Click Import , select encoding type, and browse for a file that
contains a list of sites.

NOTE: Read access auditing significantly increases the number of


events generated on your SharePoint and the amount of
data written to the AuditArchive.

4.3.13. SQL Server Instance


Complete the following fields:

81/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

Option Description

Specify SQL Server instance Specify the name of the SQL Server instance.

Specify the account for Select the account that will be used to collect data for this item. If
collecting data you want to use a specific account (other than the one you specified
during monitoring plan creation), select Custom account and enter
credentials. The credentials are case sensitive.

NOTE: A custom account must be granted the same permissions


and access rights as the default account used for data
collection. See Netwrix Auditor Installation and Configuration
Guide for more information.

4.3.14. VMware ESX/ESXi/vCenter


Complete the following fields:

Option Description

General

Specify VMware ESX, ESXi, or Specify the ESX or ESXi host URL, or vCenter Server URL.
vCenter for monitoring

Specify the account for Select the account that will be used to collect data for this item. If
collecting data you want to use a specific account (other than the one you specified
during monitoring plan creation), select Custom account and enter
credentials. The credentials are case sensitive.

NOTE: A custom account must be granted the same permissions


and access rights as the default account used for data
collection. See Netwrix Auditor Installation and Configuration
Guide for more information.

Virtual Machines

Specify monitoring restrictions Select the virtual machines to be excluded from search results,
reports and Activity Summaries. To add machines to the list, click
Add . Then, provide the full path of the machine to exclude. For
example: mydomain\user1. Consider the following:

l To exclude a single machine, provide the full path as shown in


the "What" column of reports and Activity Summaries. Example:
Vcenters\VCenterServer021\VMs\vm01.

82/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

Option Description

l If you want to specify several virtual machines, you can define a


mask for this parameter. Below is an example of a mask:

VCenters\VCenterServer02*”...

o *\TestVM* – machines with names started with TestVM


(e.g., MyTestVM).

o *TestVM* – machines with names containing TestVM (e.g.,


xXxTestVMxXx).

TIP: In addition to the restrictions for a monitoring plan, you can use
the *.txt files to collect more granular audit data. Note that
the new monitoring scope restrictions apply together with
previous exclusion settings configured in the *.txt files.
Review the following for more information: Exclude Objects
from Monitoring Scope

4.3.15. Windows File Share


Complete the following fields:

Option Description

General

Specify Windows file Provide UNC path to a shared resource. See the section below for special
share considerations.

NOTE: Do not specify a default file share mapped to a local drive (e.g.,
\\Server\e$).

Specify the account for Select the account that will be used to collect data for this item. If you want
collecting data to use a specific account (other than the one you specified during
monitoring plan creation), select Custom account and enter credentials. The
credentials are case sensitive.

NOTE: A custom account must be granted the same permissions and access
rights as the default account used for data collection. See Netwrix
Auditor Installation and Configuration Guide for more information.

Scope

Specify monitoring Specify restriction filters to narrow your monitoring scope (search results,

83/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

Option Description

restrictions reports and Activity Summaries). All filters are applied using AND logic.

Refer to Configure Scope for detailed instructions on how to narrow your


monitoring scope.

TIP: In addition to the restrictions for a monitoring plan, you can use the
*.txt files to collect more granular audit data. Note that the new
monitoring scope restrictions apply together with previous exclusion
settings configured in the *.txt files. Review the following for more
information: Exclude Objects from Monitoring Scope

4.3.15.1. Configure Scope


You can narrow your monitoring scope by adding exclusions.

ьTo add exclusion, click Add and do the following:

1. Provide the path to the file share where you are going to exclude some audit data. Path format: as
shown in the "What" column in reports and Activity Summaries. For example: \\corpsrv\shared.

NOTE: Applies onto selected folder, its subfolders and files.

When excluding user activity on a file share, use a wildcard (*) to replace any number of
characters in the path. In other cases, wildcards are not supported.

2. Select what type of data you want to exclude:

l All Data – select to completely exclude this file share from being audited. In this case, the
product does not collect any user activity and state-in-time data.

NOTE: When selected, Netwrix Auditor does not adjust audit settings automatically for the
selected folders.

Example: a Security Officer wants to monitor a file share but s/he does not have access to a
certain folder on this share. Then, s/he does not want the product to monitor this folder at all.

l User Activity – select to exclude actions performed by specific user accounts on the selected file
share.

Example: a Security Officer wants to monitor a file share that contains a public folder for which
s/he does not want to collect reads.

NOTE: When selected, the product still collects stat-in-time data for this share.

84/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

To exclude user activity:

1. Select All Users to exclude the activity of any user on the selected file share

OR

Create lists of specific users to exclude their activity. For that, under These users: provide
user names as shown in the " Who " column in reports and Activity Summaries. For
example, MyDomain\user1.

2. Select actions to exclude – you can exclude all actions of the selected users or create a list
of specific actions. For that, under These actions: select the appropriate.

l State-in-Time – select to configure Netwrix Auditor to exclude data for the state-in-time reports
from the monitoring scope.

Example: a Security Officer wants to monitor a file share, but it contains a folder with a huge
amount of objects, so s/he does not want Netwrix Auditor to collect State-in-Time data for this
folder.

4.3.15.2. Peculiarities and Considerations

4.3.15.2.1. Working with DFS File Shares

Netwrix Auditor supports auditing of DFS and clustered file servers if Object Access Auditing is enabled on
DFS file shares or on every cluster node.

l When adding a cluster file server for auditing, it is recommended to specify a server name of the Role
server or a UNC path of the shared folder located on the Role server.

l When adding a DFS file share for auditing, specify a Windows file share item and provide the UNC path
of the whole namespace or UNC path of the DFS link (folder). For example:

o "\\domain\dfsnamespace\" (domain-based namespace) or "\\server\dfsnamespace\" (in case of


stand-alone namespace);

o "\\domain\dfsnamespace\link" (domain-based namespace) or "\\server\dfsnamespace\link" (in


case of stand-alone namespace).

l For recommendations on configuring DFS replication, refer to this Knowledge Base article.

4.3.15.3. Working with Mount Points


You can specify a mount point as a monitored item. However, consider the following:

l If a mount point represents a shared folder, then the objects in its root will be initially collected by
Netwrix Auditor and appear as processed by System account. Wait for the next data collections - then
all actions for these objects will be monitored in a normal way.

85/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

l To monitor the mount points targeted at the subfolder of a file share, provide network path to the
target subfolder.

4.3.16. Integration
Integration is a custom item type that helps diversify activity records coming from custom sources and
integrations (e.g., Amazon Web Services, Cisco devices) within Netwrix API data source. It is optional to
add this item to your monitoring plan.

Complete the following fields:

Option Description

Specify a name for your Specify the add- on name or provide any other name that
integration distinguishes this custom source from any other.

This name will be listed in the Item filter in the interactive search.

NOTE: Make sure Integration API is enabled. To check it, navigate to Settings → Integrations tab. See
Integrations for more information.

Make sure to provide a monitoring plan name and item name in activity records before importing
data. See Netwrix Auditor Integration API Guide for detailed instructions on API commands and
Activity Record structure.

4.4. Fine-Tune Your Plan and Edit Settings


At any time, you can review your plan settings and fine- tune Audit Database, notification and data
collection settings.

NOTE: To modify most plan settings, you must be assigned the Global administrator role in the product or
the Configurator role on the plan. The Global reviewer or this plan's Reviewer can modify Activity
Summary recipients. See Role-Based Access and Delegation for more information.

To edit your plan settings

1. Select a plan in the All Monitoring Plans list and click Edit.

2. In the right pane, select Edit settings.

3. In the Plan Settings page, review the tabs and modify settings.

Option Description

General

86/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

Option Description

Name Update a plan name or its description.

Description

Data Collection

Specify the account for Specify a new user name and a password for the account that
collecting data Netwrix Auditor will use to collect data.

l User name Make sure the account has sufficient permissions to collect data. For
a full list of the rights and permissions, and instructions on how to
l Password
configure them, refer to Netwrix Auditor Installation and
Configuration Guide.

Audit Database

Disable security intelligence Keep this checkbox cleared if you want Netwrix Auditor to write
and make data available data to the Audit Database.
only in activity summaries

Use default SQL Server Select this checkbox to write data to a SQL Server instance with
settings connection parameters as shown in Settings → Audit Database .
See Audit Database for more information.

Specify custom connection Specify this option to use non-default settings (e.g., use a different
parameters authentication method or user).

NOTE: Make sure to store data on the same SQL Server instance.
Otherwise some data may become unavailable for search
and reporting.

Notifications

Specify Activity Summary Configure how often you want to receive an Activity Summary. By
delivery schedule default, it is delivered once a day, at 3 AM. You can specify custom
delivery time and frequency (e.g., every 6 hours starting 12 AM—at
12 AM, 6 AM, 12 PM, 6 PM).

Customize notifications By default, Activity Summary lists changes and activity in email
body. For most data sources, if an Activity Summaries contains
more than 1,000 activity records, these records are sent as a CSV
attachment, bigger attachments are compressed in ZIP files.

l Attach Activity Summary as a CSV file —You can configure


Netwrix Auditor to always send emails with attachments

87/211
Netwrix Auditor Administration Guide

4. Monitoring Plans

Option Description

instead of listing activity and changes in email body.

l Compress attachment before sending —You can configure


Netwrix Auditor to always compress attachments in a ZIP file,
irrespective of its size and number of activity records.

Specify the recipients who Modify a list of users who will receive daily activity summaries. Click
will receive daily activity Add Recipient and provide email address.
summaries
NOTE: It is recommended to click Send Test Email . The system will
send a test message to the specified email address and
inform you if any problems are detected.

4.5. Launch Data Collection Manually and Update


Status
If you do not want to wait until a scheduled data collection, you can launch it manually.

NOTE: Not applicable to Netwrix Auditor for User Activity. For this data source, the product sends real-time
data about sessions and activity.

Along with data collection, the following actions will be performed:

l An Activity Summary email will be generated and sent to the specified recipients. It will list all changes
that occurred since the last scheduled or on-demand Activity Summary delivery.

l Changes that occurred between data collections will be written to the Long-Term Archive and the
Audit Database, and become available in the Netwrix Auditor client.

l A state-in-time data will be updated.

To launch data collection manually

1. Navigate to All monitoring plans → your monitoring plan, select Edit.

2. In the right pane, click Update.

NOTE: Depending on the size of the monitored environment and the number of changes, data collection
may take a while.

88/211
Netwrix Auditor Administration Guide

5. Activity Summary Email

5. Activity Summary Email


Activity Summary email is generated automatically by Netwrix Auditor and lists all changes / recorded user
sessions that occurred since the last Activity Summary delivery. By default, for most data sources an
Activity Summary is generated daily at 3:00 AM and delivered to the specified recipients. You can also
launch data collection and Activity Summary generation manually.

NOTE: Notifications on user activity and event log collection (Event Log Collection Status) are a bit different
and do not show changes.

The following Activity Summary example applies to Active Directory. Other Activity Summaries generated
and delivered by Netwrix Auditor will vary slightly depending on the data source.

The example Activity Summary provides the following information on Active Directory changes:

Column Description

Action Shows the type of action that was performed on the object.

l Added

l Removed

l Modified

l Activated (User Activity)

Object Type Shows the type of the modified AD object, for example, 'user'.

What Shows the path to the modified AD object.

89/211
Netwrix Auditor Administration Guide

5. Activity Summary Email

Column Description

Item Shows the item associated with the selected monitoring plan.

Where Shows the name of the domain controller where the change was made.

Who Shows the name of the account under which the change was made.

When Shows the exact time when the change occurred.

Workstation Shows the name / IP address of the computer where the user was logged on when
the change was made.

Details Shows the before and after values of the modified AD object.

To initiate an on-demand Activity Summary delivery, navigate to the Monitoring Plans section, select a
plan, click Edit, and then select Update . A summary will be delivered to the specified reciptient, listing all
activity that occurred since the last data collection.

90/211
Netwrix Auditor Administration Guide

6. Intelligence

6. Intelligence
Besides notifying about the changes on a daily basis, Netwrix Auditor brings security intelligence into your
IT infrastructure and enables complete visibility.

The technology works as follows: Netwrix Auditor can be configured to write collected audit trails to the
SQL-based Audit Database and the file-based Long-Term Archive. Netwrix Auditor uses data stored in the
Audit Database to generate reports, trigger alerts, and run data searches.

The product provides a variety of predefined reports for each data source that help you keep track of all
changes in your IT infrastructure and validate compliance with various standards and regulations (FISMA,
HIPAA, PCI, SOX, etc.). Friendly, interactive search interface allows users to run custom search queries, while
alerts keep them notified on critical changes.

To review intelligence data, you must be assigned the Global administrator or Global reviewer role in the
product, or the Reviewer role on the monitoring plan. See Role-Based Access and Delegation for more
information.

91/211
Netwrix Auditor Administration Guide

6. Intelligence

NOTE: To employ reports, alerts, and interactive search capabilities, you must configure Audit Database
settings for each monitoring plan. Also, make sure all databases that store audit data reside on the
same default SQL Server instance. Otherwise, this data will not be available in the search results and
reports.

Review the following for additional information:

l Investigations

l Netwrix Auditor Intelligence Guide

92/211
Netwrix Auditor Administration Guide

7. Settings

7. Settings
In the Settings section, you can configure product settings, such as default SQL Server instance for Audit
Database, the Long-Term Archive location and retention period, etc. You can also review information about
the product version and your licenses. Review the following for additional information:

l General

l Audit Database

l Long-Term Archive

l Investigations

l Notifications

l Integrations

l Licenses

l About Netwrix Auditor

NOTE: You must be assigned the Global administrator role to modify Netwrix Auditor settings. See Role-
Based Access and Delegation for more information.

7.1. General
On the General tab you can configure global Netwrix Auditor settings, e.g., self-audit, tags, accounts and
passwords.

Review the following for additional information:

Option Description

Self-audit Select to enable data collection for product self- auditing. Self- audit allows
tracking every change to monitoring plan, data source, and audit scope and
details about it (before-after values) so that you know that scope of data to be
audited is complete and changed only in line with workflows adopted by our
organization.

Review the following for additional information:

l Netwrix Auditor Self-Audit

Netwrix Auditor usage It is optional on your part to help Netwrix improve the quality, reliability, and
statistics performance of Netwrix products and services. If selected, Netwrix collects
statistical information on how the Licensee uses the product in accordance

93/211
Netwrix Auditor Administration Guide

7. Settings

Option Description

with applicable law. Visit Netwrix Corporation Software License Agreement for
more information about the program.

You can review a sample piece of data if you are interested in data acquired by
Netwrix.

Tags Netwrix Auditor allows you to apply tags when creating an alert. With alerts,
you can distinguish one alert from another, create groups of similar alerts, etc.

The Tags page contains a complete list of alerts that were ever created in the
product.

Currently, you cannot assign or create tags on this page. To apply tags to an
alert, navigate to alert settings and locate the Apply tags section on the
General tab.

Account and Netwrix Auditor allows you to assign different accounts for monitoring plans.
passwords Click Manage to review the full list of accounts and associated auditing scope.
You can also change accounts' password if necessary.

7.2. Audit Database


If you want to leverage your security intelligence data, generate reports, and run the interactive searches,
Audit Database settings must be properly configured. These Audit Database settings include default SQL
Server, SSRS, and retention settings, and settings specific to each monitoring plan.

Normally, Audit Database settings are configured when you create a first monitoring plan. The SQL Server
instance you specified is set as default and settings are listed on the Settings → Audit Database tab.
Later, when you create other monitoring plans these settings prepopulate fields on the Audit Database
step of the wizard.

To review and update default Audit Database settings (including SQL Server, SSRS, retention settings),
navigate to Settings → Audit Database . If you have not specified the default settings before, click
Configure.

Review the following for additional information:

Option Description

Default SQL Server Define the default Audit Database location and connection information, etc.
settings See To configure default SQL Server settings for more information.

NOTE: Netwrix Auditor allows you to specify settings for each monitoring plan
individually. To specify custom settings (e.g., use a different account or
authentication type), navigate to the monitoring plan's settings. See

94/211
Netwrix Auditor Administration Guide

7. Settings

Option Description

Fine-Tune Your Plan and Edit Settings for more information.

Database retention Can be configured if you want audit data to be deleted automatically from your
Audit Database after a certain period of time. These settings are common and
cannot be modified for a certain plan. See To configure database retention for
more information.

SQL Server Reporting Define the Report Server URL and account used to upload data to Report
Services settings Server. These settings are common and cannot be modified for a certain plan.
See To configure SSRS settings for more information.

To configure default SQL Server settings

On the Settings → Audit Database tab, review settings and click Modify under the Default SQL Server
settings section.

Option Description

SQL Server instance Specify the name of the SQL Server instance to store audit data.

NOTE: If you have more than one Netwrix Auditor Server running in
your network, make sure to configure them to use different SQL
Server instances. The same SQL Server instance cannot be used
to store audit data collected by several Netwrix Auditor Servers.

Authentication Select the authentication type you want to use to connect to the SQL
Server instance:

l Windows authentication

l SQL Server authentication

User name Specify the account to be used to connect to the SQL Server instance.

NOTE: This account must be granted the database owner (db_owner)


role and the dbcreator server role. See Configure Audit Database
Account for more information.

Password Enter a password.

To configure database retention

On the Settings → Audit Database tab, review settings and click Modify under the Database retention
section.

95/211
Netwrix Auditor Administration Guide

7. Settings

Option Description

Clear stale data when a Select if you want audit data to be deleted automatically from your
database retention period is Audit Database after a certain period of time.
exceeded / Set a database
retention period to clear
stale data

Store audit data in database Specify the number of months for which audit data will be stored. Data
for is deleted automatically when its retention period is over.

By default, it is set to 180 days.

To configure SSRS settings

On the Settings → Audit Database tab, review settings and click Modify under the SQL Server
Reporting Services settings section.

Option Description

Report Server URL Specify the Report Server URL. Make sure that the resource is reachable.

Report Manager URL Specify the Report Manager URL. Make sure that the resource is
reachable.

User name Specify the account to be used to connect to SSRS. Make sure this
account is granted the Content Manager role on the Report Server.

Password Enter a password.

7.3. Long-Term Archive


The Long-Term Archive is configured by default, irrespective of your subscription plan and settings you
specified when configuring a monitoring plan. To review and update your Long-Term Archive settings,
navigate to Settings → Long-Term Archive and click Modify.

Option Description

Long-Term Archive settings

96/211
Netwrix Auditor Administration Guide

7. Settings

Option Description

Write audit data to Specify the path to a local or shared folder where your audit data
will be stored. By default, it is set to "C:\ProgramData\Netwrix
Auditor\Data".

By default, the LocalSystem account is used to write data to the


local-based Long-Term Archive and computer account is used for
the file share-based storage.

Subscriptions created in the Netwrix Auditor client are uploaded to


file servers under the Long-Term Archive service account as well.

NOTE: It is not recommended to store your Long-Term Archive on


a system disk. If you want to move the Long-Term Archive
to another location, refer to the following Netwrix
Knowledge base article: How to move Long-Term Archive to
a new location. Additional procedures are required if you
upgraded Netwrix Auditor from 8.0. See the article for
details.

Keep audit data for (in months) Specify how long data will be stored. By default, it is set to 120
months.

Data will be deleted automatically when its retention period is over.


If the retention period is set to 0, data will be automatically stored

97/211
Netwrix Auditor Administration Guide

7. Settings

Option Description

for the last 4 data collections for most of the data sources (event if
the retention period is set to 0 data on SQL Server, file servers and
Windows Server changes will be stored for the last 2 data
collections, and 7 data collections for user activity).

Use custom credentials (for the Select the checkbox and provide user name and password for the
file share-based Long-Term Long-Term Archive service account.
Archive only)
NOTE: You can specify a custom account only for the Long-Term
Archive stored on a file share.

The custom Long-Term Archive service account can be granted the


following rights and permissions:

l Advanced permissions on the folder where the Long- Term


Archive is stored:

l List folder / read data

l Read attributes

l Read extended attributes

l Create files / write data

l Create folders / append data

l Write attributes

l Write extended attributes

l Delete subfolders and files

l Read permissions

l On the file shares where report subscriptions are saved:

l Change share permission

l Create files / write data folder permission

NOTE: Subscriptions created in the Netwrix Auditor client are


uploaded to file servers under the Long-Term Archive
service account as well.

Session recording settings

98/211
Netwrix Auditor Administration Guide

7. Settings

Option Description

Configure custom location of Default location for storing session recordings is set to
session recordings "\\<NetwrixAuditorServerName>\Netwrix_UAVR$". However, storing
extra files on Netwrix Auditor server may produce additional load
on it, so consider using this option to specify another location
where session recordings will be stored.

Enter UNC path to shared folder: Specify UNC path to the shared folder where user session video
recordings will be stored. You can use server name or IP address,
for example:

\\172.28.6.33\NA_UserSessions

NOTE: Using a local folder for that purpose is not recommended, as


storing extra files on Netwrix Auditor server will produce
additional load on it.

Make sure the specified shared folder has enough capacity to store
the video files.

Retention period for the video files can be adjusted in the related
monitoring plan settings (targeted at User Activity data source);
default retention is 7 days. See User Activity for details.

NOTE: After you specify and save settings for session recordings, it
is recommended that you leave them unchanged.
Otherwise — if you change the storage location while using
Netwrix Auditor for User Activity — please be aware of
possible data loss, as Netwrix Auditor will not automatically

99/211
Netwrix Auditor Administration Guide

7. Settings

Option Description

move session recordings to a new location.

User name / Password Provide user name and password for the account that will be used
to store session recordings to the specified shared folder.

Make sure the account has at least Write permission for that
folder.

NOTE: Netwrix Auditor informs you if you are running out of space on a system disk where the Long-Term
Archive is stored by default. You will see events in the Netwrix Auditor System Health log once
the free disk space starts approaching minimum level. When the free disk space is less than 3 GB,
the Netwrix services responsible for audit data collection will be stopped.

7.4. Investigations
By default, the Audit Database stores data up to 180 days. Once the retention period is over, the data is
deleted from the Audit Database and becomes unavailable for reporting and search.

Depending on your company requirements you may need to investigate past incidents and browse old
data stored in the Long-Term Archive. Netwrix Auditor allows importing data from the Long-Term Archive
to a special "investigation" database. Having imported data there, you can run searches and generate
reports with your past data.

100/211
Netwrix Auditor Administration Guide

7. Settings

To import audit data with the Archive Data Investigation wizard

NOTE: You must be assigned the Global administrator role to import investigation data. To view
investigation data, you must be assigned the Global administrator or Global reviewer role.

1. Navigate to Settings → Investigations.

2. Complete your SQL Server settings.

Option Description

SQL Server Instance Specify the name of the SQL Server instance to import your audit data
to.

NOTE: If you want to run searches and generate reports, select the
same SQL Server instance as the one specified on Settings →
Audit Database page. See Audit Database for more
information.

Database Select import database name. By default, data is imported to a


specially created the Netwrix_ImportDB database but you can select
any other.

NOTE: Do not select databases that already contain data. Selecting


such databases leads to data overwrites and loss.

Authentication Select the authentication type you want to use to connect to the SQL
Server instance:

l Windows authentication

l SQL Server authentication

User name Specify the account to be used to connect to the SQL Server instance.

NOTE: This account must be granted the database owner (db_


owner) role and the dbcreator server role. See Netwrix
Auditor Installation and Configuration Guide for more
information.

Password Enter a password.

Clear imported data Select to delete all previously imported data.

NOTE: To prevent SQL Server from overfilling, it is recommended to


clear imported data once it is longer needed.

101/211
Netwrix Auditor Administration Guide

7. Settings

3. Review your New investigation configuration. Click Configure to specify the import scope.

Option Description

From... To... Specify the time range for which you want to import past audit data.

Data sources Select data sources whose audit data you want to import to the Audit
Database.

Monitoring plans Select monitoring plans whose audit data you want to import to the
Audit Database. Netwrix Auditor lists monitoring plans that are
currently available in the product configuration.

NOTE: Select All to import audit data for all monitoring plans,
including those that were removed from the product (or
removed and then recreated with the same name—Netwrix
Auditor treats them as different monitoring plans).

For example, you had a monitoring plan corp.local used for


auditing Active Directory. You removed this monitoring plan,
but its audit data was preserved in the Long-Term Archive.
Then, you created a new monitoring plan for auditing
Exchange and named it corp.local again. Its data is also
stored in the Long-Term Archive. Netwrix Auditor treats both
corp.local monitoring plans—the removed and the current—
as different.

If you select corp.local in the monitoring plans list, only


Exchange data will be imported to Audit Database (as it
corresponds to the current monitoring plan configuration). To
import Active Directory data from the removed monitoring
plan, select All monitoring plans.

4. Click Run.

7.5. Notifications
Basically, the SMTP settings are configured when you create the first monitoring plan in the New
monitoring plan wizard.

You can update notification settings at any time in the Settings → Notifications. Review the following for
additional information:

l To modify SMTP Settings

l To send summary emails and notifications about critical events

102/211
Netwrix Auditor Administration Guide

7. Settings

To modify SMTP Settings

Navigate to Default SMTP settings to review settings used to deliver email notifications, reports, etc., and
click Modify to adjust them if necessary.

Option Description

SMTP server Enter your SMTP server address. It can be your company's Exchange
server or any public mail server (e.g., Gmail, Yahoo).

Port number Specify your SMTP server port number.

Sender address Enter the address that will appear in the From field.

NOTE: It is recommended to click Send Test Email. The system will send
a test message to the specified email address and inform you if
any problems are detected.

SMTP authentication Select this checkbox if your mail server requires the SMTP
authentication.

User name Enter a user name for the SMTP authentication.

Password Enter a password for the SMTP authentication.

Use Secure Sockets Layer Select this checkbox if your SMTP server requires SSL to be enabled.
encrypted connection (SSL)

Use implicit SSL Select this checkbox if the implicit SSL mode is used, which means that
authentication an SSL connection is established before any meaningful data is sent.

Enforce certificate validation Select this checkbox if you want to verify security certificate on every
to ensure security email transmission.

NOTE: The option is not available for auditing User Activity as well
Netwrix Auditor tools.

NOTE: You can configure Activity Summary frequency, format and delivery time for each monitoring plan
individually. See Fine-Tune Your Plan and Edit Settings for more information.

After that, you can specify the recipient who will receive product activity and health summary emails.

103/211
Netwrix Auditor Administration Guide

7. Settings

To send summary emails and notifications about critical events

1. Navigate to the Summary email recipient and click Modify.

2. Specify recipient address:

l To send to a single recipient, enter personal mailbox address.

l To send to multiple recipients, make sure they are added to a distribution group, and enter the
group address. Entering multiple individual addresses is not supported.

To learn more about product health, you can also navigate to the Health status tile in the main window. It
will take you to the Health Status dashboard that contains information on the product activity and
system health state. See Review Health Status Dashboard for more information.

7.6. Integrations
Netwrix Auditor Integration API—endless integration, auditing and reporting capabilities.

The Netwrix Auditor Integration API provides access to audit data collected by Netwrix Auditor through
REST API endpoints. According to the RESTful model, each operation is associated with a URL. Integration
API provides the following capabilities:

l Data in: Solidify security and meet regulatory compliance standards by enabling visibility into what is
going on in any third-party application.

l Data out : Further automate your business processes, IT security and operations workflows by
enriching third-party solutions with actionable audit data.

Netwrix Auditor Integration API is enabled by default and communicates through port 9699. Navigate to
Settings → Integrations to adjust port settings and review information about possible integrations.

Netwrix recommends adding a special data source to your monitoring plan—Netwrix API. See Netwrix API
for more information.

NOTE: In Netwrix Auditor 9.0, Netwrix has updated API schemas. Make sure to check and update your
custom scripts and add-ons.

To learn more about Integration API capabilities, refer to Netwrix Auditor Integration API Guide.

7.7. Licenses
The Licenses tab allows you to review the status of your current licenses, update them and add new
licenses. To learn about Netwrix Auditor licenses, refer to the following Netwrix Knowledge Base article:
Netwrix Auditor Licensing FAQs.

104/211
Netwrix Auditor Administration Guide

7. Settings

To update or add a license

1. Click Update.

2. In the dialog that opens, do one of the following:

l Select Load from file, click Browse and point to a license file received from your sales
representative.

l Select Enter manually and type in your company name, license count and license codes.

7.7.1. Notes for Managed Service Providers


Being a Managed Service Provider (MSP) you are supplied with a special MSP license that allows you to
deploy Netwrix Auditor on several servers with the same license key. In this case the license count is based
on total number of users across all managed client environments. To ensure that licenses are calculated
correctly (per heartbeat) by Netwrix, perform the following steps:

1. Create organizational units within audited domains and add there service accounts you want to
exclude from license count.

2. On the computer where Netwrix Auditor Server resides, navigate to Netwrix Auditor installation
folder\Netwrix Auditor\Administrative Console and locate MSP.xml.

3. In MSP.xml, provide the following:

l CustomInstanceIdentificator —Is used to identify a server where Netwrix Auditor Server is


installed. It can be any custom name, for example a server name, code name or any other name
you use to distinguish one server from another (e.g., ABCServer).

Netwrix recommends you to assign a unique identifier for each client. This information is stored
in the Netwrix Partner Portal and helps you identify each instance when you invoice customers
for Netwrix services.

NOTE: Netwrix gathers the following information about MSP licenses: identifier, license key and
license count.

l ServiceAccount Path—Is a path to OU that contains service accounts. You can add several
OUs to MSP.xml, one per line.

For example:

105/211
Netwrix Auditor Administration Guide

7. Settings

NOTE: MSP.xml file must be formatted in accordance with XML standard. If company name (used as
identifier) or service account path includes & (ampersand), " (double quotes) or ' (single quotes), <
(less than), > (greater than) symbols, they must be replaced with corresponding HTML entities.

Netwrix recommends avoiding special characters since some web browsers (e.g., Internet
Explorer 8) have troubles processing them.

Symbol XML entity

& &amp;

e.g., Ally & Sons e.g., Ally &amp; Sons

" &quot;

e.g., Domain1\Users\"Stars" e.g., Domain1\Users\&quot;Stars&quot;

' &apos;

e.g., Domain1\Users\O'Hara e.g., Domain1\Users\O&apos;Hara

< &lt;

e.g., Company < 1 e.g., Company &lt;1

> &gt;

e.g., ID> 500 e.g., ID&gt;500

5. Navigate to Netwrix Auditor installation folder\Netwrix Auditor\Administrative Console and start


Netwrix.NAC.MSPTool.exe. The tool transfers information on service accounts to Netwrix Auditor.
Netwrix Auditor uses this information to exclude service accounts from license count so that only
heartbeat users will be calculated.

NOTE: You must run Netwrix.NAC.MSPTool.exe every time you update MSP.xml.

106/211
Netwrix Auditor Administration Guide

7. Settings

7.8. About Netwrix Auditor


The About Netwrix Auditor tab contains complete information on the product:

Option Description

Netwrix Auditor9.95 Review current version of Netwrix Auditor.

Check for updates Select to check for available updates now.

Check for updates automatically and Netwrix Auditor periodically checks for updates so you don’t
show notifications about new product have to. When an update is available, a user is immediately
versions noticed.

Getting Help Click the link to visit Netwrix Auditor Help Center and access
user guidelines online.

107/211
Netwrix Auditor Administration Guide

8. Monitor Netwrix Auditor Operations and Health

8. Monitor Netwrix Auditor


Operations and Health
This section describes how you can monitor Netwrix Auditor operations, health and resource usage. For
that, the following means are provided:

l Review Health Status Dashboard

l Netwrix Auditor Self-Audit

l Netwrix Auditor Health Summary Email

l Netwrix Auditor System Health Log

8.1. Netwrix Auditor System Health Log


When an error occurs, a system administrator or support engineer must determine what caused this error
and prevent it from recurring. For your convenience, Netwrix Auditor records important events in the
proprietary Netwrix Auditor System Health event log.

You can review events directly in the product:

l When issues encountered during data collection, click Details... in the Status column and select View
Health Log.

OR

l In the main screen, in the Configuration section click the Health status tile, then in the Health log
dashboard widget click Open health log. See Health Log for more information.

NOTE: You can also inspect the log in the Event Viewer.

There are three types of events that can be logged:

Event Type Description

Information An event that describes the successful operation beginning or completion.


For example, the product successfully completed data collection for a
monitoring plan.

Warning An event that is not necessarily significant, but may indicate a possible
future problem. For example, the product failed to process a domain
controller.

Error An event that indicates a significant problem such as loss of data or loss of
functionality. For example, the product failed to retrieve settings for your
data source.

108/211
Netwrix Auditor Administration Guide

8. Monitor Netwrix Auditor Operations and Health

Review the following:

l Inspect Events in Health Log

If you want to monitor Netwrix Auditor health status in more depth, you can do the following:

l Create a monitoring plan for this log using Netwrix Auditor Event Log Manager too to collect activity
data. See Create Monitoring Plan for Netwrix Auditor System Health Log for more information.

l Configure alerts triggered by specific events in the product's health log. See Create Alerts on Netwrix
Auditor Server Health Status for more information.

8.1.1. Netwrix Auditor Health Summary Email


Netwrix Auditor Health Summary email includes all statistics on the product operations and health for the
last 24 hours; it also notifies you about license status. By default, this email is generated daily at 7:00 AM
and delivered to the recipient specified in the Notifications settings. Email content is very similar to data
presented in the Health Status dashboard.

For greater usability, to depict overall product health state, the email includes a color indicator in the
topmost section: green means Netwrix Auditor had no issues while auditing your IT infrastructure, and red
means there were some problems that require your attention.

The email looks like shown below:

109/211
Netwrix Auditor Administration Guide

8. Monitor Netwrix Auditor Operations and Health

NOTE: The Monitoring Overview section of the email provides detail information only for the monitoring
plans with issues. Successfully completed monitoring plans are not included.

8.1.2. Review Health Status Dashboard


New Health Status dashboard facilitates Netwrix Auditor maintenance and troubleshooting tasks,
providing IT specialists with at-a-glance view on the most critical factors: data collection performance,
product health and storage capacity. The dashboard comprises a set of widgets that display the status of
these aspects using aggregated statistics and charts. Nearly each widget allows you to drill down to the
detailed information on the aspect you are interested in.

To view the dashboard, on the main Netwrix Auditor page, click the Health status tile located in the
Configuration section.

The dashboard includes the following widgets:

110/211
Netwrix Auditor Administration Guide

8. Monitor Netwrix Auditor Operations and Health

l The Activity records by date chart—Shows the number of activity records produced by your data
sources, collected and saved by Netwrix Auditor during the last 7 days. See Activity Records Statistics
for details.

l The Monitoring overview widget—Shows aggregated statistics on the statuses of all monitoring
plans configured in Netwrix Auditor at the moment. See Monitoring Overview for details.

l The Health log chart—Shows the statistics on the events written in the Netwrix Auditor health log in
the last 24 hours. Click the link in this widget to view the log. See Health Log for details.

l The Database statistics widget—Helps you to estimate database capacity on the default SQL Server
instance that hosts the product databases. See Database Statistics for details.

l The Long-Term Archive widget—Helps you to estimate the capacity of the Long-Term Archive file-
based storage. To modify its settings, including location and retention, click the link in this widget. See
Long-Term Archive Capacity for details.

l The Working Folder widget—Helps you to estimate the capacity of the Netwrix Auditor working
folder used to keep operational information (configuration files of the product components, log files,
and other data) on the Netwrix Auditor Server. See Netwrix Auditor Working Folder for details.

You can also instruct Netwrix Auditor to forward similar statistics as a health summary email to personnel
in charge. For that, click Notification settings, then follow the steps described in the Notifications section.
See also Netwrix Auditor Health Summary Email.

111/211
Netwrix Auditor Administration Guide

8. Monitor Netwrix Auditor Operations and Health

8.1.2.1. Activity Records Statistics


Aggregated statistics on the activity records is provided in the Activity records by date widget. The chart
shows the number of activity records produced by your data sources, collected and saved by Netwrix
Auditor during the last 7 days. This data can help you to assess the activity records generation intensity in
your IT infrastructure, and product load.

After you click View details, the Activity Records Statistics window will be displayed.

By default, statistics on activity records processing is grouped by Monitoring plan and presented for the
Last 7 days. To modify the timeframe, use the drop-down list in the upper right corner.

Other fields provide the following information: data source that produces activity records, with date and
time of the last collected record, and the overall number of records collected and uploaded to the
corresponding Audit database during the specified timeframe.

NOTE: If the data sources processed by a monitoring plan did not produce any activity records during the
specified timeframe, this monitoring plan will not appear in the list.

8.1.2.2. Monitoring Overview


Aggregated statistics on the monitoring plans is provided in the Monitoring overview widget. It displays
current statuses of all monitoring plans:

112/211
Netwrix Auditor Administration Guide

8. Monitor Netwrix Auditor Operations and Health

l Ready (green indicator)—The monitoring plans (one or several) successfully processed the data
sources with all their items and are ready for the next run.

l Pay attention (yellow indicator)—The monitoring plans (one or several) require your attention, as
some items were not processed completely but only partially. This status applies to the monitoring
plans targeted at Logon Activity and Windows File Server. See the table below for details.

l Take action (red indicator)—Any data source or item in the monitoring plan (one or several) was
processed with errors.

After you click View details, the Monitoring Overview window will be displayed.

It provides the hierarchical list of monitoring plans, processed data sources and corresponding items with
their current status and date/time of the last data processing session. For data sources and items their
current status is depicted as follows:

Entity Status Description

Data source Disabled A data source can be disabled manually via its
settings (by switching Monitor this data source
and collect activity data to OFF), or
automatically, if the license is not valid any more
(for example, the count of licensed objects was
exceeded, or the trial period has expired).

Empty No items have been added to this data source

113/211
Netwrix Auditor Administration Guide

8. Monitor Netwrix Auditor Operations and Health

Entity Status Description

yet.

Enabled Monitor this data source and collect activity


data is set to ON in the data source settings.

Not available The monitoring plan is corrupted and cannot


process its data sources, so it is recommended to
remove it and create anew.

Not responding Data collector for this data source is not


responding. The underlying items will not be
displayed for such data source.

Working The data source is being processed at the


moment.

(not displayed) The data source status is unknown.

Item Pay attention The item was processed with some issues (non-
critical). This status applies to the monitoring
plans targeted at Logon Activity and Windows
File Server. It means that data collection from at
least one entity completed with errors.

For example, a MyFileServer item included in the


File Server monitoring plan contains all CIFS
shares hosted on the MyFileServer computer.

If any of these shares was processed with errors


while others were processed successfully, the
processing of the whole MyFileServer item will
be considered partially completed, and the
monitoring plan will have a yellow indicator,
requiring your attention.

Click the Details link to examine the product log.

Ready The item was processed successfully and is ready


for the next run of data collection.

Take action Critical error (s) occurred while processing this


item.

Click the Details link to examine the product log.

Working The item is being processed at the moment.

114/211
Netwrix Auditor Administration Guide

8. Monitor Netwrix Auditor Operations and Health

You can use the Search field, or apply a filter to display the information you need. For example, in the
Apply Filters dialog you can select the Show only plans with issues to display only the monitoring plans
that require attention and corrective actions.

This information will help you to troubleshoot the product operation, detect and eliminate the root cause
of the monitoring errors, providing for auditing continuity and compliance.

8.1.2.3. Health Log


Daily summary of the Netwrix Auditor health log is displayed in the Health log widget. The chart shows
how many events with different severity levels were written to the product health log in the last 24 hours.
To open the health log, click the corresponding link.

See Inspect Events in Health Log for more information.

8.1.2.4. Database Statistics


Databases may tend to run out of free space due to poor capacity provisioning or to retention settings not
configured properly. Use the Database statistics widget to examine database size and adjust retention
accordingly. The widget displays the name of default SQL Server instance hosting all Netwrix Auditor
databases, the overall database capacity at the moment and its change over the last day (24 hours).

NOTE: Transaction logs size is not included in the calculations.

After you click View details , the following information will be displayed for the specified SQL Server
instance:

115/211
Netwrix Auditor Administration Guide

8. Monitor Netwrix Auditor Operations and Health

The Database name column contains the list of Netwrix Auditor databases hosted by the specified
instance of the SQL Server:

l Special databases are created automatically on the default SQL Server instance to store:

o alerts—Netwrix_AlertsDB database

o activity records collected using Integration API—Netwrix_Auditor_API database

o internal event records—Netwrix_Auditor_EventLog database

o data collected by Netwrix Auditor self-audit—Netwrix_Self_Audit database

o data needed for overview reports generation—Netwrix_OverviewReportsDB

l To store data from the data sources included in the monitoring plan, dedicated Audit databases are
created and named by user (default name format is Netwrix_Auditor_<monitoring_plan_name>)

The following capacity metrics are displayed for each database:

l State—database state summary

l Size—current database size (logs are not included)

l Activity records—number of the activity records stored in the database at the moment

After you expand the database node, the detailed database properties will be shown:

These properties are as follows:

116/211
Netwrix Auditor Administration Guide

8. Monitor Netwrix Auditor Operations and Health

Property Possible Values Description

Size limit <size_limit> For SQL Server Express Edition–shows database


size limitations

Unlimited

OK Database is operating properly.

State description
Capacity error Database is running low on disk space.

-OR-

Size limit for SQL Server Express Edition will be


reached soon (threshold is 500 MB, i.e. 5% of 10
GB limit remaining).

Failed to store data Failed to store data to the database due to some
issues.

Unavailable Failed to connect to the database.

Upgrade in progress Database is being upgraded.

Monitoring plans <monitoring_plan> All monitoring plans for which this database is a
target.

NOTE: Usually it is recommended to configure a


dedicated database for each plan.

You can use the Search field, or apply a filter to display the information you need. For example, in the
Apply Filters dialog you can select the Show only plans with issues to display only the monitoring plans
that require attention and corrective actions.

This information will help you to troubleshoot the product operation, detect and eliminate the root cause
of the monitoring errors, providing for auditing continuity and compliance.

8.1.2.5. Long-Term Archive Capacity


Long-Term Archive is a file-based storage where Netwrix Auditor saves the collected activity records. By
default, it is located on the system drive at %PROGRAMDATA%\Netwrix Auditor\Data and keeps data for 120
months. You may want to modify these settings, for example, move the storage from the system drive to
another location. The Long-Term Archive widget will help you to monitor the Long-Term Archive capacity.
The widget displays the current size and daily increase of the Long-Term Archive, and the remaining free
space on the target drive.

To open the Long-Term Archive settings, click the corresponding link. Then you will be able to adjust the
settings as necessary.

117/211
Netwrix Auditor Administration Guide

8. Monitor Netwrix Auditor Operations and Health

See Long-Term Archive for more information.

8.1.2.6. Netwrix Auditor Working Folder


The working folder is a file-based storage that keeps operational information (configuration files of the
product components, log files, and other data). Netwrix Auditor also caches some audit data in this folder
for a short period (up to 30 days) prior to storing it to the Long-Term Archive or Audit database. By default,
the working folder is located on the system drive at %PROGRAMDATA%\Netwrix Auditor.

In busy environments and during activity peaks, working folder size may grow significantly. To track the
working folder capacity, use the Working Folder widget.

NOTE: If you need to change the working folder location, follow the instructions provided in this
Knowledge Base article.

8.1.3. Netwrix Auditor Self-Audit


Built-in Netwrix Auditor self-audit allows you to track changes to the product configuration, including
monitoring plans, data sources, audit scope and details about it (before-after values). This helps you to
ensure that monitoring scope is complete and changed only in line with the workflows adopted by our
organization.

The corresponding option is available on the General tab of Netwrix Auditor Settings . By default, it is
enabled (Collect data for self-audit check box is selected).

Review the following for additional information:

l To search for self-audit results

l To review Netwrix Auditor Self-Audit report

To search for self-audit results

All Netwrix Auditor self-audit Activity Records can be found quickly using AuditIntelligence Search.

118/211
Netwrix Auditor Administration Guide

8. Monitor Netwrix Auditor Operations and Health

1. In Netwrix Auditor, navigate to Search.

2. Set the "Data source" filter to "Self-audit".

3. Click Search to review results:

NOTE: Having reviewed your results, apply filters to narrow your data. See Apply Filters for more
information.

After browsing your data, navigate to Tools to use the search results as intended. See Make
Search Results Actionable for more information.

To review Netwrix Auditor Self-Audit report

Also, there is a new Netwrix Auditor Self-Audit report available under Organization Level Reports in the
predefined set of reports. This report shows detailed information on changes to Netwrix Auditor
monitoring plans, data sources and audited items.

1. In Netwrix Auditor, navigate to Reports → Organization Level Reports.

2. Select the Netwrix Auditor Self-Audit report and click View.

8.1.4. Inspect Events in Health Log

To inspect events in Netwrix Auditor health log

1. On the main Netwrix Auditor page, select the Health status tile, then in the Health log dashboard
widget click Open health log.

2. Select an entry to review it in details. You can also copy event details. Select the event in the list and
click Copy details at the bottom of the window.

For your convenience, Netwrix Auditor provides you with filters so that you can narrow down the number
of events on the screen and focus on those that matter most. For example, warnings on failed data
collection or events of an important monitoring plan.

To filter events

119/211
Netwrix Auditor Administration Guide

8. Monitor Netwrix Auditor Operations and Health

1. Select Filters in the upper part of the Netwrix Auditor Health Log window.

2. Complete the following fields:

Option Description

Logged Specify event logging time period (date range, yesterday, etc.).

Event level Select level of the events that you want to be displayed.

Event source Select services and applications whose events you want to view.

Monitoring plan Select to display events from one or several monitoring plans.

Item name Select to display events from the certain item(s) you need.

Event ID Enter event ID number or range of event IDs separated by commas. For
example, 1, 3, 5-99.

NOTE: You can also exclude unwanted event IDs from being displayed. Type
the minus sign before selected event ID. For example, -76.

120/211
Netwrix Auditor Administration Guide

8. Monitor Netwrix Auditor Operations and Health

The applied filters will be listed on the top of the screen under the window title.

121/211
Netwrix Auditor Administration Guide

9. Address Specific Tasks with Netwrix Auditor Tools

9. Address Specific Tasks with


Netwrix Auditor Tools

122/211
Netwrix Auditor Administration Guide

9. Address Specific Tasks with Netwrix Auditor Tools

9.1. Audit Configuration Assistant


Netwrix Auditor Audit Configuration Assistant utility helps you to assess your environment readiness to
being monitored with Netwrix Auditor and automatically adjust the audit settings with the requirements.

It checks current settings of your Active Directory and Group Policies against those required for monitoring
of selected data sources: Group Policy settings, auditing entries for directory partitions, and admin audit
log settings of Exchange server. Assessment results are reported on the screen and can be downloaded as
a PDF file.

You can instruct the utility to automatically apply the required settings.

NOTE: For that, you should ensure that the account you plan to use for accessing the target domain has
the necessary rights.

Audit Configuration Assistant is a part of Netwrix Auditor product setup. It is installed together with
Netwrix Auditor client and can be launched from the Start menu →Netwrix Auditor →Netwrix Auditor
Audit Configuration Assistant. Alternatively, you can launch this utility from the monitoring plan wizard
for Active Directory data source. See the Launch Audit Configuration Assistant section for details.

NOTE: Currently, the utility supports Active Directory and Logon Activity data sources.

9.1.1. Prerequisites
When working with the utility, you will need to provide an account with access rights required to access the
AD audit entries and other settings. It should be a member of the following groups:

l Domain Admins — to access audit policies and audit entries on the domain controllers

l Enterprise Admins — to configure audit entries for AD partitions

l Organization Management or Records Management (in Exchange organization) — to configure admin


audit log settings

You can create a dedicated account for the assessment purposes, include it in these groups for the
assessment period, and after finishing, remove it from these privileged groups.

9.1.2. Usage
To assess and adjust the audit settings with Audit Configuration Assistant, take the following steps:

1. Launch Audit Configuration Assistant

2. Start Assessment

3. View Results

4. Complete the process

123/211
Netwrix Auditor Administration Guide

9. Address Specific Tasks with Netwrix Auditor Tools

9.1.3. Launch Audit Configuration Assistant


Audit Configuration Assistant is a part of Netwrix Auditor product setup. It is installed together with
Netwrix Auditor client and can be launched from the Start menu.

Select →Netwrix Auditor →Netwrix Auditor Audit Configuration Assistant.

If the utility is installed on the same machine as Netwrix Auditor server, you will be taken to the Welcome
step.

If the utility is installed on the remote machine together with Netwrix Auditor client, the initial window will
allow you to enter the settings to connect to Netwrix Auditor Server. Specify the following:

Setting Description

Host Enter the name or IP address of Netwrix Auditor Server to


connect to.

Use specified credentials If not selected, then your current Windows credentials will be
used to access Netwrix Auditor Server.

Select this option if you want to use other credentials

User Enter user account in the domain\name format.

Password Enter account password.

After you click Connect, the connection with Netwrix Auditor Server will be established, and you will be
taken to the Welcome step.

Alternatively, you can launch this utility by clicking the corresponding link:

l From the first step of the Monitoring Plan wizard for Active Directory data source.

l From the Active Directory data source properties within the plan.

l From the Logon Activity data source properties.

9.1.3.1. Prerequisites
The utility is installed

9.1.3.2. Procedure
Start Audit Configuration Assistant

Review the following for additional information:

124/211
Netwrix Auditor Administration Guide

9. Address Specific Tasks with Netwrix Auditor Tools

l Create Monitoring Plans for Event Logs

l Configure Audit Archiving Filters for Event Log

l Create Alerts for Event Log

l Create Monitoring Plan for Netwrix Auditor System Health Log

l Create Alerts for Non-Owner Mailbox Access Events

l Review Past Event Log Entries

l Import Audit Data with the Database Importer

125/211
Netwrix Auditor Administration Guide

9. Address Specific Tasks with Netwrix Auditor Tools

9.1.4. Start Assessment


At this step, do the following:

1. Select what you plan to monitor with Netwrix Auditor. You can select both Active Directory and
Logon Activity, or any of them.

2. If you launched Audit Configuration Assistant from the Start menu (not from the monitoring plan
settings), enter the name of Active Directory domain you want to assess.

3. Enter credentials that will be used to access the audit setting of that domain. This account must be
included in the following groups:

l Domain Admins — to access audit policies and audit entries on the domain controllers

l Enterprise Admins — to configure audit entries for AD partitions

l Organization Management or Records Management (in Exchange organization) — to configure


admin audit log settings

4. Click Start assessment.

126/211
Netwrix Auditor Administration Guide

9. Address Specific Tasks with Netwrix Auditor Tools

9.1.5. View Results


At this step, you will be presented the results of the environment readiness assessment, including:

l the list of current and required settings for each entity

l the list of issues (if any) that occurred during the assessment

1. Examine the report.

2. If some issues occurred due to the lack of access rights during the assessment, you can click Back and
modify the settings provided at the previous step.

3. If you need to save this report (for example, to get your manager's approval), click Export to PDF.

4. When ready, you can automatically adjust audit settings with the requirements — for that, click Apply
required settings.

127/211
Netwrix Auditor Administration Guide

9. Address Specific Tasks with Netwrix Auditor Tools

5.

6. If you launched Audit Configuration Assistant from the Start menu (not from the monitoring plan
settings), enter the name of Active Directory domain you want to assess.

7. Enter credentials that will be used to access the audit setting of that domain. This account must be
included in the following groups:

l Domain Admins — to access audit policies and audit entries on the domain controllers

l Enterprise Admins — to configure audit entries for AD partitions

l Organization Management or Records Management (in Exchange organization) — to configure


admin audit log settings

8. Click Start assessment.

128/211
Netwrix Auditor Administration Guide

9. Address Specific Tasks with Netwrix Auditor Tools

9.1.6. Complete the process


After you click Apply required settings, the utility will proceed with modifying your current audit settings.
Operation progress will be reported in the bottom of the window.

1. Wait for the process to complete.

2. Finally, review the results. Successfully applied settings will be reported with a green tick; those that
did not manage to apply — with the yellow warning sign and explanatory text.

3. You can click Start over to get to Step 1, fix the issues and perform the procedure again, or click
Finish.

9.2. Manage Users with Netwrix Auditor Inactive User


Tracker
Netwrix Auditor Inactive User Tracker standalone tool discovers inactive user and computer accounts. It
performs the following tasks:

l Checks the managed domain or specific organizational units by inquiring all domain controllers, and
sends reports to managers and system administrators listing all accounts that have been inactive for
the specified number of days.

l Automatically deactivates inactive accounts by settings a random password, disabling, deleting or


moving them to a specified organizational unit.

Review the following for additional information:

l To create monitoring plan to audit inactive users

l To review report on inactive users

To create monitoring plan to audit inactive users

1. Navigate to Start → Netwrix Auditor → Netwrix Auditor Inactive Users Tracker.

2. On the main page, you will be prompted to select a monitoring plan. Click Add to add a new
monitoring plan.

3. Configure basic parameters as follows:

Option Description

Enable inactive user tracking Select the checkbox to discover inactive users in your
Active Directory domain.

Audited domain Specify domain name in the FQDN format.

129/211
Netwrix Auditor Administration Guide

9. Address Specific Tasks with Netwrix Auditor Tools

Option Description

Send report to administrators Enable this option and specify one or several email
addresses for administrators to receive daily reports
with a list of inactive users . Use semicolon to
separate several addresses.

4. Navigate to the General tab and complete the following fields:

Option Description

Specify account which will be used to Enter the account which will be used for data
collect data: collection.

l User name For a full list of the rights and permissions this
account, and instructions on how to configure them,
l Password
refer to Netwrix Auditor Installation and
Configuration Guide.

Consider user inactive after Specify account inactivity period, after which a user is
considered to be inactive.

Customize the report template Click Edit to edit the notification template, for
example, modify the text of the message. You can
use HTML tags when editing a template.

Attach report as a CSV files Select this option to receive reports attached to
emails as CSV files.

5. Navigate to the Actions tab and complete the following fields:

Option Description

Notify manager after Specify account inactivity period, after which the
account owner's manager must be notified.

Set random password after Specify account inactivity period, after which a
random password will be set for this account.

Disable accounts after Specify account inactivity period, after which the
account will be disabled.

Move to a specific OU after l Specify account inactivity period, after which


the account will be moved to a specified
organizational unit.

l OU name—Specify OU name or select an

130/211
Netwrix Auditor Administration Guide

9. Address Specific Tasks with Netwrix Auditor Tools

Option Description

AD container using button.

Delete accounts after Specify account inactivity period, after which the
account will be removed.

Delete account with all its subnodes Select this checkbox to delete an account that is a
container for objects.

Notify managers only once If this checkbox is selected, managers receive one
notification on account inactivity and one on every
action on accounts.

Managers will receive a notification in the day when


the account inactivity time will be the same as
specified in the inactivity period settings.

By default, managers receive notifications every day


after the time interval of inactivity specified in the
Notify managers after entry field.

6. Navigate to the Advanced tab and complete the following fields:

Option Description

Filter by account name Specify one or several user account names (e.g.,
*John*). Use semicolon to separate several names.
Only user accounts that contain selected name will
be notified and included in the administrators and
managers reports.

Filter by organizational unit To audit inactive users that belong to certain


organizational units within your Active Directory
domain, select this option and click Select OUs . In
the dialog that opens, specify the OUs that you want
to audit. Only users belonging to these OUs will be
notified and included in the administrators and
managers reports.

Process user accounts Select this checkbox to audit user accounts.

Process computer accounts Select this checkbox to audit computer accounts.

7. Navigate to the Notifications tab and complete the following fields:

131/211
Netwrix Auditor Administration Guide

9. Address Specific Tasks with Netwrix Auditor Tools

Option Description

SMTP server Enter your SMTP server address. It can be your company's
Exchange server or any public mail server (e.g., Gmail, Yahoo).

Port number Specify your SMTP server port number.

Sender address Enter the address that will appear in the From field.

NOTE: It is recommended to click Verify . The system will send a


test message to the specified email address and inform you
if any problems are detected.

SMTP authentication Select this checkbox if your mail server requires the SMTP
authentication.

User name Enter a user name for the SMTP authentication.

Password Enter a password for the SMTP authentication.

Use Secure Sockets Layer Select this checkbox if your SMTP server requires SSL to be
encrypted connection (SSL) enabled.

Use implicit SSL connection Select this checkbox if the implicit SSL mode is used, which means
mode that an SSL connection is established before any meaningful data is
sent.

8. If you want to save your current configuration, click Save.

To review report on inactive users

1. Click Generate next to Generate report on inactive users to view report immediately.

132/211
Netwrix Auditor Administration Guide

9. Address Specific Tasks with Netwrix Auditor Tools

9.3. Alert on Passwords with Netwrix Auditor


Password Expiration Notifier
Netwrix Auditor Password Expiration Notifier standalone tool checks which domain accounts or passwords
are about to expire in the specified number of days and sends notifications to users. It also generates
summary reports that can be delivered to system administrators and/or users' managers. Besides, Netwrix
Auditor Password Expiration Notifier allows checking the effects of a password policy change before
applying it to the managed domain.

Review the following for additional information:

l To configure password expiration alerting

l To review Password Expiration Report

To configure password expiration alerting

1. Navigate to Start → Netwrix Auditor → Netwrix Auditor Password Expiration Notifier.

2. On the main page, you will be prompted to select a monitoring plan. Click Add to add a new
monitoring plan.

3. Configure basic parameters as follows:

Option Description

Enable password expiration alerting Select the checkbox to discover expiring passwords
in your Active Directory domain.

Audited domain Specify domain name in the FQDN format.

Send report to administrators Enable this option and specify one or several email
addresses for administrators to receive daily reports
with a list of users whose accounts/passwords are
going to expire in the specified number of days. Use
semicolon to separate several addresses.

4. Navigate to the General tab and complete the following fields:

Option Description

Specify account which will be used to Enter the account which will be used for data
collect data: collection.

l User name For a full list of the rights and permissions this
account, and instructions on how to configure them,
l Password
refer to Netwrix Auditor Installation and

133/211
Netwrix Auditor Administration Guide

9. Address Specific Tasks with Netwrix Auditor Tools

Option Description

Configuration Guide.

Filter users by organizational unit To audit users for expiring accounts/passwords that
belong to certain organizational units within your
Active Directory domain, select this option and click
Select OUs. In the dialog that opens, specify the OUs
that you want to audit. Only users belonging to these
OUs will be notified and included in the
administrators and managers reports.

Filter users by group To audit users for expiring accounts/passwords that


belong to certain groups within your Active Directory
domain, select this option and click Select Groups.
In the dialog that opens, specify the groups that you
want to audit. Only users belonging to these groups
will be notified and included in the administrators
and managers reports.

Filter by account name Specify one or several user account names (e.g.,
*John*). Use semicolon to separate several names.
Only user accounts that contain selected name will
be notified and included in the administrators and
managers reports.

5. Navigate to the Actions tab and complete the following fields:

Option Description

Send report to the users’ managers Enable this option to deliver reports to the user’s
managers.

To review and edit the user's managers

1. Start Active Directory Users and Computers.

2. Navigate to each group where the user belongs


to, right-click it and select Properties.

3. In the <group> Properties dialog, select the


Managed By tab and review a manager.
Update it if necessary.

To edit a report template, click Customize. You can


use HTML tags when editing a template.

134/211
Netwrix Auditor Administration Guide

9. Address Specific Tasks with Netwrix Auditor Tools

Option Description

List users whose accounts or passwords Specify the expiration period for accounts and/or
expire in <> days or less passwords to be included in the administrators and
managers reports.

Only report on users with expiring Select this option to deliver reports on users with
accounts expiring accounts only and ignore users whose
passwords will be valid for a rather long time.

Notify users Select this option to notify users that their


passwords and/or accounts are about to expire.

Every day if password expires in <> days Select this option for users to be notified daily that
or less their passwords are going to expire, and specify the
number of days before the expiration date.

To edit a report template, click Customize . You can


use HTML tags when editing a template. In order to
send a test email, click Test and select an account.
Make sure this account has a password that expires
within the period you specifed next to this option.

First/Second/Last time when password Select this option for users to be notified three times,
expires in <> days and specify the number of days before the expiration
date for each of three notifications.

To edit a report template, click Customize . You can


use HTML tags when editing a template. In order to
send a test email, click Test and select an account.
Make sure this account has a password that expires
within the period you specifed next to this option.

Notify users by email every day if their Select this option for users to be notified daily that
accounts expire in <> days their account is going to expire, and specify the
number of days before the expiration date.

Notify users by text messages Select this option for users to receive text messages if
their passwords are about to expire. To edit
SMS Notifications template, click Customize.

l Every day if password expires in <> days or


less—Select this option for users to be notified
daily that their passwords are going to expire,
and specify the number of days before the
expiration date.

135/211
Netwrix Auditor Administration Guide

9. Address Specific Tasks with Netwrix Auditor Tools

Option Description

l First/Second/Last time when password


expires in <> days — Select this option for
users to be notified three times, and specify the
number of days before the expiration date for
each of three notifications.

l Provider name—Specify provider name.

l Property name — Specify the name of the


Active Directory User Property where the
recipient's phone number is stored. Pager is
the default property.

NOTE: If the Pager property of an AD User


contains a full email address, Provider
Name will be ignored.

In order to send a test email, click Test and select an


account. Make sure this account has a password that
expires within the period you specifed next to this
option.

6. Navigate to the Notifications tab and complete the following fields:

Option Description

SMTP server Enter your SMTP server address. It can be your company's
Exchange server or any public mail server (e.g., Gmail, Yahoo).

Port number Specify your SMTP server port number.

Sender address Enter the address that will appear in the From field.

NOTE: It is recommended to click Verify . The system will send a


test message to the specified email address and inform you
if any problems are detected.

SMTP authentication Select this checkbox if your mail server requires the SMTP
authentication.

User name Enter a user name for the SMTP authentication.

Password Enter a password for the SMTP authentication.

Use Secure Sockets Layer Select this checkbox if your SMTP server requires SSL to be

136/211
Netwrix Auditor Administration Guide

9. Address Specific Tasks with Netwrix Auditor Tools

Option Description

encrypted connection (SSL) enabled.

Use implicit SSL connection Select this checkbox if the implicit SSL mode is used, which means
mode that an SSL connection is established before any meaningful data is
sent.

Display the following From Enter the address that will appear in the " From " field in email
address in email notifications.
notifications
NOTE: This option does not affect notifications sent to users'
managers and administrators. Before configuring the
"From" field for user email notifications, make sure that your
Exchange supports this option.

7. Navigate to the Advanced tab and complete the following fields:

Option Description

Modify scheduled task start time The default start time of the scheduled task is 3.00
AM every day. Click Modify to configure custom
schedule.

Customize the report template Click Customize to edit the notification template, for
example, modify the text of the message. You can
use HTML tags when editing a template.

Attach reports as a CSV files Select this option to receive reports attached to
emails as CSV files.

Ignore users who must change password Select this option to exclude users who must change
at next logon password at next logon from reports.

Ignore users with the " Password never Select this option to exclude users with the
expires" option enabled " Password never expires " option enabled from
reports.

Ignore users who do not have email Select this option to exclude users who do not have
accounts email accounts from reports.

Ignore users whose passwords have Select this option to exclude users whose passwords
already expired have already expired from reports.

Include data on expiring accounts Select this option to include data on expiring domain
accounts further to expiring passwords information.

137/211
Netwrix Auditor Administration Guide

9. Address Specific Tasks with Netwrix Auditor Tools

Option Description

Only report on users with fine- grained Select this option to include in reports only users
password policies applied who have fine-grained policies applied.

8. If you want to save your current configuration, click Save.

To review Password Expiration Report

Click Generate next to Generate report on users with expired account or passwords to view report
on users passwords immediately. In the Maximum Password Age Setting dialog that opens, select
domain policy settings or specify the maximum password age in days.

9.4. Monitor Events with Netwrix Auditor Event Log


Manager
Netwrix Auditor Event Log Manager standalone tool consolidates and archives event log data, and allows
setting up alerts on critical events including unauthorized access to mailbox in your Exchange organization
and events generated by Netwrix Auditor.

Review the following for additional information:

l Create Monitoring Plans for Event Logs

l Configure Audit Archiving Filters for Event Log

l Create Alerts for Event Log

l Create Monitoring Plan for Netwrix Auditor System Health Log

l Create Alerts for Non-Owner Mailbox Access Events

l Review Past Event Log Entries

l Import Audit Data with the Database Importer

138/211
Netwrix Auditor Administration Guide

9. Address Specific Tasks with Netwrix Auditor Tools

9.4.1. Create Monitoring Plans for Event Logs


Review the following for additional information:

l To configure monitoring plan for event logs

l To review the Event Log Collection Status email

To configure monitoring plan for event logs

1. Navigate to Start → Netwrix Auditor → Netwrix AuditorEvent Log Manager.

2. On the main page, you will be prompted to select a monitoring plan. Click Add to add new plan.

Configure basic parameters as follows:

l Enable event log collection—Select the checkbox to start monitoring event logs.

l Monitoring plan—Enter a name for a new list of monitored computers.

l Notification recipients—Specify one or several email addresses for users to receive daily Event
Log collection status notifications. Use semicolon to separate several addresses.

l Monitored computers—Select items that you want to audit. You can add several items to your
monitoring plan. Click Add and complete the following:

Option Description

Computer name Allows specifying a single computer by entering its


FQDN, NETBIOS or IP address. You can click Browse
to select a computer from the list of computers in
your network.

Active Directory container Allows specifying a whole AD container. Click


Browse to select from the list of containers in your
network. You can also:

l Select a particular computer type to be


monitored within the chosen AD container:
Domain controllers, Servers (excluding
domain controllers), or Workstations.

l Click Exclude to specify domains, OUs, and


containers you do not want to audit.

NOTE: The list of containers does not include child


domains of trusted domains. Use other
options (Computer name, IP address
range , or Import computer names from

139/211
Netwrix Auditor Administration Guide

9. Address Specific Tasks with Netwrix Auditor Tools

Option Description

a file) to specify the target computers.

IP address range / Computers within Allows specifying an IP range for the audited
an IP range computers.

To exclude computers from within the specified


range, click Exclude . Enter the IP range you want to
exclude, and click Add.

NOTE: You can specify multiple computer names by importing a list from a .txt file (one computer
name/IP address per line is accepted). Click Import and select a .txt file. You can choose
whether to import the list once, or to update it on every data collection.

3. Navigate to the General tab and configure the following:

Option Description

User name Enter the account that will be used by Netwrix Auditor Event Log
Manager for data collection. For a full list of the rights and permissions
Password
required for the account, and instructions on how to configure them,
refer to Netwrix Auditor Installation and Configuration Guide.

Audit archiving filters Define what events will be saved to the Long-Term Archive or the
Audit Database. Refer to Configure Audit Archiving Filters for Event
Log for detailed instructions on how to configure audit archiving
filters.

Alerts Configure alerts that will be triggered by specific events. Refer to


Create Alerts for Event Log for detailed instructions on how to
configure Netwrix Auditor Event Log Manager alerts.

4. Navigate to the Notifications tab and complete the following fields:

Option Description

SMTP server Enter your SMTP server address. It can be your company's
Exchange server or any public mail server (e.g., Gmail, Yahoo).

Port number Specify your SMTP server port number.

Sender address Enter the address that will appear in the From field.

NOTE: It is recommended to click Verify . The system will send a


test message to the specified email address and inform you

140/211
Netwrix Auditor Administration Guide

9. Address Specific Tasks with Netwrix Auditor Tools

Option Description

if any problems are detected.

SMTP authentication Select this checkbox if your mail server requires the SMTP
authentication.

User name Enter a user name for the SMTP authentication.

Password Enter a password for the SMTP authentication.

Use Secure Sockets Layer Select this checkbox if your SMTP server requires SSL to be
encrypted connection (SSL) enabled.

Use implicit SSL connection Select this checkbox if the implicit SSL mode is used, which means
mode that an SSL connection is established before any meaningful data is
sent.

5. Navigate to the Audit Database tab to configure Audit Database and review SQL Server settings.
Netwrix Auditor Event Log Manager synchronizes Audit Database and reports settings with the
default Audit Database configuration from Netwrix Auditor Server. If this option is disabled, contact
your Netwrix Auditor Global administrator and make sure that these settings are properly configured
in Netwrix Auditor Server. Refer to Audit Database for detailed instructions on how to configure the
Audit Database settings.

Complete the following fields:

Option Description

Write data to Audit Select if you want to generate reports. Even if you do not select this
Database and enable checkbox now, you will still be able to configure these settings later,
reports but already collected audit data will not be imported in the Audit
Database.

Write event descriptions Select if you want to see the exact error or warning text.
to Audit Database

Store events for... days Specify the Audit Database retention period.

NOTE: This setting affects all monitoring plans. The minimum value
specified across the plans will be applied. When configuring,
mind that your data will be deleted automatically when its
retention period is over.

NOTE: You cannot edit SQL Server settings for Netwrix Auditor Event Log Manager.

6. Navigate to the Advanced tab and configure the following:

141/211
Netwrix Auditor Administration Guide

9. Address Specific Tasks with Netwrix Auditor Tools

Option Description

Enable network traffic If enabled, a Compression Service will be automatically launched on


compression the audited computer, collecting and prefiltering data. This
significantly improves data transfer and minimizes the impact on the
target computer performance.

Specify notification Modify the Event Log collection status email delivery schedule.
delivery time

To review the Event Log Collection Status email

The Event Log Collection Status email shows whether data collection for your monitoring plan completed
successfully or with warnings and errors.

9.4.2. Configure Audit Archiving Filters for Event Log


Audit archiving filters define what events will be saved to the Long-Term Archive or the Audit Database, and
provide more granular reporting. For example, if you are going to audit Internet Information Services (IIS)
or track health status of the product, enable the Internet Information Services Events or Netwrix
Auditor System Health filter respectively. You can also skip certain events with exclusive filters (e.g.,
computer logons). You can enable or disable, and modify existing filters, and create new filters. To do it,
click Configure next to Audit archiving filters.

The product allows creating inclusive and exclusive audit archiving filters.

To configure audit archiving filters, perform the following:

142/211
Netwrix Auditor Administration Guide

9. Address Specific Tasks with Netwrix Auditor Tools

l To create or modify an audit archiving filter, see To create or edit an audit archiving filter.

l To collect events required to generate a specific report, you must select a filter which name coincides
with this report’s name. Click Enable and select Filters for Reports. All filters required to store events
for all available reports will be selected automatically.

To create or edit an audit archiving filter

1. On the Audit archiving filters page, click Add or select a filter and click Edit.

2. Complete the fields. Review the following for additional information:

Option Description

The Event tab

Name Specify the filter name.

Description Enter the description for this filter (optional).

Event Log Select an event log from the drop-down list. You will be alerted on
events from this event log. You can also input a different event log.

To find out a log’s name, navigate to Start → Windows


Administrative Tools (Windows Server 2016) or Administrative
Tools (Windows 2012 R2 and below) → Event Viewer →
Applications and Services Logs → Microsoft → Windows and
expand the required <Log_Name> node, right-click the file under it
and select Properties . Find the event log’s name in the Full Name
field.

Netwrix Auditor Event Log Manager does not collect the Analytic and
Debug logs, so you cannot configure alerts for these logs.

NOTE: You can use a wildcard (*). For inclusive filters: all Windows logs
except for the ones mentioned above will be saved. For
exclusive: all Windows logs events will be excluded.

Write to/Don't write to Select the location to write/not to write events to, depending on the
filter type (inclusive or exclusive).

NOTE: It is recommended to write events both to the Long- Term


Archive and to the Audit Database, because if your database is
corrupted, you will be able to import the necessary data from
the Long- Term Archive using the DB Importer tool. See
Import Audit Data with the Database Importer for more
information.

143/211
Netwrix Auditor Administration Guide

9. Address Specific Tasks with Netwrix Auditor Tools

Option Description

The Event Fields tab

Event ID Enter the identifier of a specific event that you want to be save. You
can add several IDs separated by comma.

Event Level Select the event types that you want to be save. If the Event Level
check box is cleared, all event types will be saved.

NOTE: If you want to select the inclusive Success Audit/Failure


Audit filters, note that on these platforms these events belong
to the “Information” level, so they will not be collected if you
select the Information checkbox in the Exclusive Filters.

Computer Specify a computer (as it is displayed in the Computer field in the


event properties). Only events from this computer will be saved.

NOTE: If you want to specify several computers, you can define a


case-sensitive mask for this parameter. Below is an example of
a mask:

l * - any machine

l computer – a machine named ‘computer’

l *computer* - machines with names like ‘xXxcomputerxXx’ or


‘newcomputer’

l computer? – machines with names like ‘computer1’ or


‘computerV’

l co?puter - machines with names like ‘computer’ or ‘coXputer’

l ????? – any machine with a 5-character name

l ???* - any machine with a 3-character name or longer

User Enter a user’s name. Only events created by this user will be saved.

NOTE: If you need to specify several users, you can define a mask for
this parameter in the same way as described above.

Source Specify this parameter if you want to save events from a specific
source. Input the event source as it is displayed in the Source field in
the event properties.

NOTE: If you need to specify several sources, you can define a mask
for this parameter in the same way as described above.

144/211
Netwrix Auditor Administration Guide

9. Address Specific Tasks with Netwrix Auditor Tools

Option Description

Category Specify this parameter if you want to save a specific events category.

The Insertion Strings tab

Consider the following Specify this parameter if you want to store events containing a specific
event Insertion Strings string in the EventData. You can use a wildcard (*). Click Add and
specify Insertion String.

9.4.3. Create Monitoring Plan for Netwrix Auditor System


Health Log
If you want to generate reports on health state and to be alerted on important Netwrix Auditor health
events, you need to create a dedicated monitoring plan for this log with Netwrix Auditor Event Log
Manager standalone tool.

NOTE: You can also review and filter Netwrix Auditor health events right in the product. See Netwrix
Auditor System Health Log for more information.

To configure the Netwrix Auditor System Health log monitoring

NOTE: The procedure below describes the basic steps, required for creation of the monitoring plan that will
be used to collect data on Netwrix Auditor health status events. See Create Monitoring Plans for
Event Logs for more information.

1. Start Netwrix Auditor Event Log Manager and create the new monitoring plan.

2. Make sure that the Enable event log collection checkbox is selected. Specify the name for the new
monitoring plan, for example, "Netwrix Auditor Health Status".

3. Navigate to the Monitored computers list and add a server where the Netwrix Auditor Server
resides.

NOTE: Navigate to the Audit Database tab and select Write event descriptions to Audit
Database if you want to see the exact error or warning text. Make sure that Audit Database
settings are configured properly. See Audit Database for more information.

4. Click Configure next to Audit archiving filters and select the Netwrix Auditor System Health Log
filter in the Inclusive Filters list.

9.4.4. Create Alerts for Event Log


Alerts are configurable notifications triggered by certain events and sent to the specified recipients. You can
enable or disable, and modify existing alerts, and create new alerts. To do it, click Configure next to Alerts.

145/211
Netwrix Auditor Administration Guide

9. Address Specific Tasks with Netwrix Auditor Tools

To create new alert

1. In the Alerts window, click Add to start new alert.

2. On the Alert Properties step, specify the alert name and enter alert description (optional). Specify
the number alerts per email. Grouped alerts for different computers will be delivered in separate
email messages. This value is set to 1 by default, which means that each alert will be delivered as a
separate email message.

3. On the Notifications step, configure email notifications and customize the notification template, if
needed. Click Edit next to Customize notifications template . Edit the template by deleting or
inserting information fields.

NOTE: The %ManagedObjectName% variable will be replaced with your monitoring plan name.

4. On the Event filters step, specify an event that will trigger the alert.

Complete the Event Filters wizard. Complete the following fields:

l In the Event tab:

Option Description

Name Specify the filter name.

Description Enter the description for this filter (optional).

Event Log Select an event log from the drop-down list. You will be alerted
on events from this event log. You can also input a different
event log.

To find out a log’s name, navigate to Start → Windows


Administrative Tools (Windows Server 2016) or
Administrative Tools (Windows 2012 R2 and below) → Event
Viewer → Applications and Services Logs → Microsoft →
Windows and expand the required Log_Name node, right-click
the file under it and select Properties. Find the event log’s name
in the Full Name field.

Netwrix Auditor does not collect the Analytic and Debug logs,
so you cannot configure alerts for these logs.

NOTE: You can use a wildcard (*). In this case you will be alerted
on events from all Windows logs except for the ones
mentioned above.

l In the Event Fields tab:

146/211
Netwrix Auditor Administration Guide

9. Address Specific Tasks with Netwrix Auditor Tools

Option Description

Event ID Enter the identifier of a specific event that you want to be


alerted on. You can add several IDs separated by comma.

Event Level Select the event types that you want to be alerted on. If the
Event Level checkbox is cleared, you will be alerted on all event
types of the specified log.

Computer Specify a computer. You will only be alerted on events from this
computer.

NOTE: If you want to specify several computers, you can define


a mask for this parameter. Below is an example of a
mask:

l * - any machine

l computer – a machine named ‘computer’

l *computer* - machines with names like ‘xXxcomputerxXx’


or ‘newcomputer’

l computer? – machines with names like ‘computer1’ or


‘computerV’

l co?puter - machines with names like ‘computer’ or


‘coXputer’

l ????? – any machine with a 5-character name

l ???* - any machine with a 3-character name or longer

User Enter a user’s name. You will be alerted only on the events
generated under this account.

NOTE: If you need to specify several users, you can define a


mask for this parameter in the same way as described
above.

Source Specify this parameter if you want to be alerted on the events


from a specific source.

NOTE: If you need to specify several users, you can define a


mask for this parameter in the same way as described
above.

Category Specify this parameter if you want to be alerted on a specific


event category.

147/211
Netwrix Auditor Administration Guide

9. Address Specific Tasks with Netwrix Auditor Tools

l In the Insertion Strings tab:

Option Description

Consider the following event Insertion Specify this parameter if you want to receive alerts
Strings on events containing a specific string in the
EventData. You can use a wildcard (*). Click Add and
specify Insertion String.

5. Click OK to save the changes and close the Event Filters dialog.

9.4.5. Create Alerts on Netwrix Auditor Server Health


Status
You can configure alerts to be triggered by important events in the Netwrix Auditor System Health log.

To create alerts to be notified on Netwrix Auditor Health Status

NOTE: The procedure below describes the basic steps, required for creation of the monitoring plan that will
be used to collect data on Netwrix Auditor health status events. See Create Monitoring Plans for
Event Logs for more information.

148/211
Netwrix Auditor Administration Guide

9. Address Specific Tasks with Netwrix Auditor Tools

1. Start Netwrix Auditor Event Log Manager and create the new monitoring plan.

2. Make sure that the Enable event log collection checkbox is selected. Specify the name for the new
plan, for example, "Netwrix Auditor Health Status".

3. Navigate to the Monitored computers list and add a server where the Netwrix Auditor Server
resides.

4. On the General tab, click Configure next to Alerts. Make sure the predefined alerts are disabled.
Click Add to create anew alert.

5. In the Alert Properties wizard, specify the alert name and enter alert description (optional). Specify
the number alerts per email. Grouped alerts for different computers will be delivered in separate
email messages. This value is set to 1 by default, which means that each alert will be delivered as a
separate email message.

NOTE: Specify alert recipient if you want the alert to be delivered to a non-default email.

6. Navigate to Event Filters and click Add to specify an event that will trigger the alert.

7. Complete the Event Filter dialog.

l In the Event tab, specify the filter name and description. In the Event Log field select the
Netwrix Auditor log.

l In the Event Fields tab, select event levels that will trigger the alert.

Click OK to save the changes and close the Event Filters dialog.

8. In the Netwrix Auditor Event Log Manager wizard, navigate to Notifications section and specify
the email address where notifications will be delivered.

NOTE: It is recommended to click Verify. The system will send a test message to the specified email
address and inform you if any problems are detected.

9. In the Audit Archiving filters, select the Netwrix Auditor System Health as the inclusive filter.

10. Click Save to save your changes. If an event occurs that triggers an alert, an email notification will be
sent immediately to the specified recipients.

149/211
Netwrix Auditor Administration Guide

9. Address Specific Tasks with Netwrix Auditor Tools

9.4.6. Create Alerts for Non-Owner Mailbox Access Events


If you have a monitoring plan configured to audit Exchange, you can configure alerts to be triggered by
non-owner mailbox access events (e.g., opening a message folder, opening/modifying/deleting a message)
using the event log alerts. To enable monitoring of non-owner mailbox access events, you need to create a
monitoring plan for auditing event logs.

Review the following for additional information:

l To create alerts for non-owner mailbox access events

l To review event description

To create alerts for non-owner mailbox access events

150/211
Netwrix Auditor Administration Guide

9. Address Specific Tasks with Netwrix Auditor Tools

NOTE: The procedure below describes the basic steps, required for creation of a monitoring plan that will
be used to collect data on non-owner mailbox access events. See Create Monitoring Plans for Event
Logs for more information.

1. Create a monitoring plan in Netwrix Auditor Event Log Manager.

2. Make sure that the Enable event log collection checkbox is selected. Specify the name for the new
plan, for example, "Non-owner mailbox access auditing".

3. Navigate to the Monitored computers list and add a server where your Exchange organization
resides.

4. On the General tab, click Configure next to Alerts. Make sure the predefined alerts are disabled.
Click Add to create an alert for non-owner mailbox access event.

5. In the Alert Properties wizard, specify the alert name and enter alert description (optional). Specify
the number alerts per email. Grouped alerts for different computers will be delivered in separate
email messages. This value is set to 1 by default, which means that each alert will be delivered as a
separate email message.

NOTE: Specify alert recipient if you want the alert to be delivered to a non-default email.

6. Navigate to Event Filters and click Add to specify an event that will trigger the alert.

7. Complete the Event Filter dialog.

l In the Event tab, specify the filter name and description. In the Event Log field enter "Netwrix
Non-Owner Mailbox Access Agent".

l In the Event Fields tab, complete the following fields:

l Event ID—Enter the identifier of a specific event that you want to be alerted on. You can
add several IDs separated by comma. Review the event IDs available in the Netwrix Non-
Owner Mailbox Access Agent event log:

ID Description Access Type (as displayed in XML


view of event details)

1 A folder was opened actFolderOpen

2 A message was opened actMessageOpened

3 A message was sent actMessageSubmit

4 A message was changed and saved actChangedMessageSaved

5 A message was deleted actMessageDeleted

151/211
Netwrix Auditor Administration Guide

9. Address Specific Tasks with Netwrix Auditor Tools

ID Description Access Type (as displayed in XML


view of event details)

6 A folder was deleted actFolderDeleted

7 The entire contents of a folder was actAllFolderContentsDeleted


deleted

8 A message was created and saved actMessageCreatedAndSaved

9 A message was moved or/and copied actMessageMoveCopy

10 A folder was moved or/and copied actFolderMoveCopy

14 A folder was created actFolderCreated

See To review event description for more information.

l Source—Enter "Netwrix Non-Owner Mailbox Access Agent".

l In the Insertion Strings tab, select Consider the following event Insertion Strings to receive
alerts on events containing a specific string in the EventData. Click Add and specify Insertion
String.

Click OK to save the changes and close the Event Filters dialog.

8. In the Netwrix Auditor Event Log Manager wizard, navigate to Notifications section and specify
the email address where notifications will be delivered.

NOTE: It is recommended to click Verify. The system will send a test message to the specified email
address and inform you if any problems are detected.

9. Click Edit next to Audit Archiving Filters step, in the Inclusive Filters section clear the filters you do
not need, click Add and specify the following information:

l The filter name and description (e.g., Non-owner mailbox access event)

l In Event Log, enter "Netwrix Non-Owner Mailbox Access Agent".

l In Write to, select Long-Term Archive. The events will be saved into the local repository.

10. Click Save to save your changes. If an event occurs that triggers an alert, an email notification will be
sent immediately to the specified recipients.

To review event description

Review the example of the MessageOpened event in the XML view:

152/211
Netwrix Auditor Administration Guide

9. Address Specific Tasks with Netwrix Auditor Tools

Depending on the event, the strings in the description may vary. The first eight strings are common for all
events:

String Description

String1 The event type: info or warning

String2 The event date and time in the following format: YYYY_MM_DD_hh_mm_ss_000

String3 The name of the user accessing mailbox

String4 The SID of the user accessing mailbox

String5 The GUID of the mailbox being accessed

String6 Shows whether the user accessing mailbox is the owner: it is always false

String7 The IP of the computer accessing the mailbox

String8 The access type

The following strings depend on the non-owner access type, represented by different Event IDs:

Event ID Access type (String 8) Strings Description

1 actFolderOpen String9 The internal folder URL

153/211
Netwrix Auditor Administration Guide

9. Address Specific Tasks with Netwrix Auditor Tools

Event ID Access type (String 8) Strings Description

2 actMessageOpened String9 The internal message URL

String10 The message subject

String11 The message type: IPM.Note— Email,


IPM.Contact – contact, etc.

3 actMessageSubmit String9 The internal message URL

String10 The message subject

String11 Email addresses of the message recipients,


separated by a semicolon

String12 The message type: IPM.Note— Email,


IPM.Contact – contact, etc.

4 actChangedMessageSaved String9 The internal message URL

String10 The message subject

String11 The message type: IPM.Note – Email,


IPM.Contact – contact, etc.

5 actMessageDeleted String9 The internal message URL

String10 The message subject

String11 The message type: IPM.Note— Email,


IPM.Contact – contact, etc.

6 actFolderDeleted String9 The internal folder URL

7 actAllFolderContentsDeleted String9 The internal folder URL

8 actMessageCreatedAndSaved String9 The internal message URL

9 actMessageMoveCopy String9 The message being moved/copied— the


final part of the message URL, e.g.,
/Inbox/testMessage.EML

String10 The action – copy or move

String11 The folder URL the message is


copied/moved from

154/211
Netwrix Auditor Administration Guide

9. Address Specific Tasks with Netwrix Auditor Tools

Event ID Access type (String 8) Strings Description

String12 The destination folder URL

String13 The message type: IPM.Note— Email,


IPM.Contact – contact, etc.

10 actFolderMoveCopy Strings 9 -13 The string descriptions for the folder are
similar to those for messages.

14 actFolderCreated String9 The new folder URL

NOTE: With different Exchange versions and/or different email clients, the same non-owner action (e.g.,
copying a message) may generate different events: e.g., actMessageMoveCopy with one
server/client or actMessageCreatedAndSaved with another.

You can add the required strings contained in % symbols for your own custom alert separated by a <br>
tag in <b>Event Parameters:</b>. Event parameter descriptions can also be added.

In the example below, the following information has been added:

l The description for String 3—User accessing mailbox

l String 8 with the description

l String 9 with the description

155/211
Netwrix Auditor Administration Guide

9. Address Specific Tasks with Netwrix Auditor Tools

9.4.7. Review Past Event Log Entries


Netwrix Auditor Event Log Manager collects event log entries and stores them to the Audit Archive. To
review past events, do the following:

1. On the main Netwrix Auditor Event Log Manager page, click View next to View collected events.

2. In the Netwrix Auditor Event Viewer window, complete the following to narrow results:

Option Description

Monitoring plan Select the monitoring plan that audits desired event log
entries.

Computer If you have several items in the monitoring plan, adjust a


computer.

Event log Select event log that contains desired entries.

From... To... Specify the time range for which you want to retrieve
past audit data.

9.4.8. Import Audit Data with the Database Importer


1. On the main Netwrix Auditor Event Log Manager page, click Import Data.

2. Select a monitoring plan and the time range for which you want to import data.

3. Click Import.

9.5. Roll Back Changes with Netwrix Auditor Object


Restore for Active Directory
With Netwrix Auditor you can quickly restore deleted and modified objects using the Netwrix Auditor
Object Restore for Active Directory tool shipped with the product. This tool enables AD object restore
without rebooting a domain controller and affecting the rest of the AD structure, and goes beyond the
standard tombstone capabilities. Perform the following procedures:

l Modify Schema Container Settings

l Roll Back Unwanted Changes

9.5.1. Modify Schema Container Settings


By default, when a user or computer account is deleted from Active Directory, its password is discarded as
well as a domain membership. When you restore deleted accounts with the Netwrix Auditor Object

156/211
Netwrix Auditor Administration Guide

9. Address Specific Tasks with Netwrix Auditor Tools

Restore for Active Directory tool, it rolls back a membership in domain and sets random passwords
which then have to be changed manually. If you want to be able to restore AD objects with their passwords
preserved, you must modify the Schema container settings so that account passwords are retained when
accounts are being deleted.

To modify schema container settings

NOTE: To perform this procedure, you will need the ADSI Edit utility. In Windows Server 2008 and above,
this component is installed together with the AD DS role, or it can be downloaded and installed
along with Remote Server Administration Tools.

1. Navigate to Start → Windows Administrative Tools (Windows Server 2016) or Administrative


Tools (Windows 2012 R2 and below) → ADSI Edit.

2. Right-click the ADSI Edit node and select Connect To. In the Connection Settings dialog, enable
Select a well-known Naming Context and select Schema from the drop-down list.

3. Expand the Schema your_Root_Domain_name node. Right-click the CN=Unicode-Pwd attribute


and select Properties.

157/211
Netwrix Auditor Administration Guide

9. Address Specific Tasks with Netwrix Auditor Tools

4. Double-click the searchFlags attribute and set its value to "8".

Now you will be able to restore deleted accounts with their passwords preserved.

9.5.2. Roll Back Unwanted Changes


1. Navigate to Start → Netwrix Auditor → Netwrix Auditor Object Restore for Active Directory.

2. On the Select Rollback Period step, specify the period of time when the changes that you want to
revert occurred. You can either select a period between a specified date and the present date, or
between two specified dates.

3. On the Select Rollback Source step, specify the rollback source. The following restore options are
available:

l State-in-time snapshots—This option allows restoring objects from configuration snapshots


made by Netwrix Auditor. This option is more preferable since it allows to restore AD objects
with all their attributes.

Complete the following fields:

Option Description

Audited domain Select a domain where changes that you want to rollback
occurred.

158/211
Netwrix Auditor Administration Guide

9. Address Specific Tasks with Netwrix Auditor Tools

Option Description

Select a state- in- time Select if you want to revert to a specific snapshot. Otherwise, the
snapshot program will automatically search for the most recent snapshot
that will cover the selected time period.

l Active Directory tombstones —This option is recommended when no snapshot is available.


This is a last resort measure as the tombstone holds only the basic object attributes.

4. On the Analyzing Changes step, the product analyzes the changes made during the specified time
period. When reverting to a snapshot, the tool reviews the changes that occurred between the
specified snapshots. When restoring from a tombstone, the tool reviews all AD objects put in the
tombstone during the specified period of time.

5. On the Rollback Results step, the analysis results are displayed. Select a change to see its rollback
details in the bottom of the window. Select an attribute and click Details to see what changes will be
applied if this attribute is selected for rollback. Check the changes you want to roll back to their
previous state.

6. Wait until the tool has finished restoring the selected objects. On the last step, review the results and
click Finish to exit the wizard.

159/211
Netwrix Auditor Administration Guide

10. Additional Configuration

10. Additional Configuration


This chapter provides instructions on how to fine–tune Netwrix Auditor using the additional configuration
options. Review the following for additional information:

l Exclude Objects From Auditing Scope

l Fine–tune Netwrix Auditor Using Registry Keys

l Automate Sign-in to Netwrix Auditor Client

l Customize Branding

10.1. Exclude Objects from Monitoring Scope


You can fine-tune Netwrix Auditor by specifying data that you want to exclude from the monitoring scope.
This can be helpful if you want to reduce time required for the data collection, reduce the disk space,
required to store the collected data and customize your reports and data searches.

To exclude data from the monitoring scope, perform the following procedures:

l Exclude Data from Active Directory Monitoring Scope

l Exclude Data from Azure AD Monitoring Scope

l Exclude Data from Exchange Monitoring Scope

l Exclude Data from Exchange Online Monitoring Scope

l Exclude Data from File Servers Monitoring Scope

l Exclude Oracle Database Users from Monitoring Scope

l Exclude Data from SharePoint Monitoring Scope

l Exclude Data from SharePoint Online Monitoring Scope

l Exclude Data from SQL Server Monitoring Scope

l Exclude Data from VMware Monitoring Scope

l Exclude Data from Windows Server Monitoring Scope

l Exclude Data from Event Log Monitoring Scope

l Exclude Data from Group Policy Monitoring Scope

l Exclude Data from Inactive Users Monitoring Scope

l Exclude Data from Logon Activity Monitoring Scope

l Exclude Data from Password Expiration Monitoring Scope

160/211
Netwrix Auditor Administration Guide

10. Additional Configuration

10.1.1. Exclude Data from Active Directory Monitoring


Scope
You can fine-tune Netwrix Auditor by specifying data that you want to exclude from the Active Directory
monitoring scope.

To exclude data from the Active Directory monitoring scope

1. Navigate to the %Netwrix Auditor installation folder%\Active Directory Auditing folder.

2. Edit the *.txt files, based on the following guidelines:

l Each entry must be a separate line.

l A wildcard (*) is supported. For example, you can use * for a class name to specify an attribute
for all classes.

l Lines that start with the # sign are treated as comments and are ignored.

File Description Syntax

addprops.txt Contains a list of properties Object type:property:


that should be included for
For example, to show a group
newly created AD objects.
description on this group’s creation, add
When a new object is added, the following line:
Netwrix Auditor does not group:description:
show any data in the Details
column in the Activity
Summary emails. If you want
to see the information on
certain attributes of a newly
created object, specify these
attributes in this file.

allowedpathlist.txt Contains a list of AD paths to Path


be included in Activity
Summaries, reports, and NOTE: The path must be provided in
search results. the same format as it is
displayed in the What column.

For example, if you only want to


monitor specific OU(s)

in the AD domain, but not the entire


domain. You can put a wildcard (*) in
theomitpathlist.txt file to exclude all
paths, and then specify the OU(s) you
want to monitor in the

161/211
Netwrix Auditor Administration Guide

10. Additional Configuration

File Description Syntax

allowedpathlist.txt file.

NOTE: Adding the widlcard (*) to


omitpathlist.txt will not allow
Netwrix Auditor to run AD state-
in-time data collection.

omitallowedpathlist.txt Contains a list of AD paths to Path


be excluded from Activity
Summaries, reports, and NOTE: The path must be provided in
search results. the same format as it is
displayed in the What column.
This file can be used if you
want to exclude certain paths For example, you can put a wildcard (*)
inside those specified in the in the omitpathlist.txt file to exclude all
allowedpathlist.txt file. paths, then specify the OU(s) you want
to monitor in the allowedpathlist.txt file,
and then specify the paths you want to
exclude from within them in the
omitallowedpathlist.txt file.

NOTE: Adding the widlcard (*) to


omitpathlist.txt will not allow
Netwrix Auditor to run AD state-
in-time data collection.

omitobjlist.txt Contains a list of object types Object type


to be excluded from Activity
For example, to omit changes to the
Summaries, reports, and
printQueue object, add the following
search results.
line: printQueue.

omitpathlist.txt Contains a list of AD paths to Path


be excluded from Activity
Summaries, reports, and NOTE: The path must be provided in
search results. the same format as it is
displayed in the What column.

For example, to exclude changes to the


Service Desk OU, add the following line:
*\Service Desk\*.

omitproplist.txt Contains a list of object types object_type.property_name


and properties to be excluded
from Activity Summaries, NOTE: If there is no separator (.)

162/211
Netwrix Auditor Administration Guide

10. Additional Configuration

File Description Syntax

reports, and search results. between an object type and a


property, the whole entry is
treated as an object type.

For example to exclude the


adminCount property from reports,
add the following line: *.adminCount.

omitreporterrors.txt Contains a list of errors to be Error message text


excluded from Netwrix Health
For example, if you have advanced audit
Log. Thus, these errors will not
settings applied to your domain
appear in the Activity
controllers policy, the following error will
Summary emails.
be returned in the Activity Summary
emails:
Auditing of Directory Service
Access is not enabled for this
DC. Adjust the audit policy
settings using the Active
Directory Audit Configuration
Wizard or see the product
documentation for more
information.

Add the text of this error message to


this file to stop getting it in the Activity
Summary emails.

omitsnapshotpathlist.txt Contains a list of AD paths to Path


be excluded from AD
snapshots. NOTE: The path must be provided in
the same format as it is
displayed in the What column.

For example, to exclude data on the


Disabled Accounts OU from the
Snapshot report, add the following line:
*\Disabled Accounts*.

omitstorelist.txt Contains a list of object types object_type.property_name


and properties to be excluded
from AD snapshots. NOTE: If there is no separator (.)
between an object type and a
property, the whole entry is
treated as an object type.

163/211
Netwrix Auditor Administration Guide

10. Additional Configuration

File Description Syntax

For example to exclude data on the AD


adminDescription property, add the
following line: *.adminDescription.

omituserlist.txt Contains a list of users you domain\username


want to exclude from search
For example, *\administrator.
results, reports and Activity
Summaries.

propnames.txt Contains a list of human- classname.attrname=


readable names for object intelligiblename
types and properties to be For example, if you want the
displayed in Activity adminDescription property to be
Summaries, reports, and displayed in the reports as Admin
search results.
Screen Description, add the following
line: *.adminDesciption=Admin
Screen Description

10.1.2. Exclude Data from Azure AD Monitoring Scope


You can fine- tune Netwrix Auditor by specifying data that you want to exclude from the Azure
AD monitoring scope or modify the way it will be displayed.

To exclude data from the Azure AD monitoring scope

1. Navigate to the %Netwrix Auditor installation folder%\Azure AD Auditing folder.

2. Edit the *.txt files, based on the following guidelines:

l Each entry must be a separate line.

l A wildcard (*) is supported.

l Lines that start with the # sign are treated as comments and are ignored.

File Description Syntax

omituserlist.txt Contains a list of users you want to [email protected]


exclude from Azure AD search
results, reports and Activity
Summaries.

adomiteventuserlist.txt Contains a list of users whose user [email protected]


names you want to exclude from
Azure AD search results, reports and

164/211
Netwrix Auditor Administration Guide

10. Additional Configuration

File Description Syntax

Activity Summaries. The rest of


change details (action, object type,
etc.) will be reported, but the Who
value will be "system".

exomiteventuserlist.txt Contains a list of Exchange whose [email protected]


user names you want to exclude
from Azure AD search results,
reports and Activity Summaries. The
rest of change details (action, object
type, etc.) will be reported, but the
Who value will be "system".

NOTE: This list omits changes made


by users through Exchange
admin center.

maapioperationtypes.txt Contains an overall list of object operation = object type


types that will be displayed in For example:
search results, reports, and Activity
add owner to group = Group
Summaries for each particular
operation.

By default, the list contains mapping


for the most frequent operations
(e.g., add user, update policy,
remove member). The rest will be
reported with “Azure AD object”
object type.

omitproplist.txt Contains a list of object classes and classname.attrname


attributes to be excluded from
Azure AD search results, reports and NOTE: If there is no full stop, the
Activity Summaries. entire line is considered a
class name.

propnames.txt Contains a list of human- readable object=friendlyname


names for object types and object.property=friendlyname
attributes to be displayed in search
For example:
results, reports, and Activity
Summaries. *.PasswordChanged = Password
Changed

proptypes.txt Defines how values will be displayed For example:


in the Details columns in Azure AD

165/211
Netwrix Auditor Administration Guide

10. Additional Configuration

File Description Syntax

search results, reports, and Activity *.Role.DisplayName =


MultiValued
Summaries.

10.1.3. Exclude Data from Exchange Monitoring Scope


You can fine- tune Netwrix Auditor by specifying data that you want to exclude from the Exchange
monitoring scope. In addition, you can exclude data from non-owner access auditing.

l To exclude data from Exchange monitoring scope

l To exclude users or mailboxes from the Mailbox Access monitoring scope

To exclude data from Exchange monitoring scope

1. Navigate to the %Netwrix Auditor installation folder%\Active Directory Auditing folder.

2. Edit the *.txt files, based on the following guidelines:

l Each entry must be a separate line.

l A wildcard (*) is supported. For example, you can use * for a class name to specify an attribute
for all classes.

l Lines that start with the # sign are treated as comments and are ignored.

File Description Syntax

aal_omitlist.txt For Exchange 2010 and cmdlet.attrname


above, the file contains a list
For example:
of changes performed by
cmdlets. To exclude a Set-User
change from reports, Set-ContactSet-Group
specify name of a cmdlet
#Update-AddressList
and the attribute that is
changed by the selected Add- ADPermissionRemove-
cmdlet. ADPermission
#RBAC:
*-MailboxAuditLogSearch
*-AdminAuditLogSearch

aal_propnames.txt For Exchange 2010 and classname.attrname=


above, the file contains a list intelligiblename
of human- readable names For example:
of changed attributes to be
*- OutlookAnywhere.SSLOffloading
displayed in change reports.
= Allow secure channel (SSL)

166/211
Netwrix Auditor Administration Guide

10. Additional Configuration

File Description Syntax

To exclude a change from offloading


the reports, specify name of
a cmdlet and the attribute
that is changed by the
selected cmdlet.

omitobjlist_ecr.txt Contains a list of human- Classname


readable names of object
For example:
classes to be excluded from
change reports. exchangeAdminService
msExchMessageDeliveryConfig
Exchange_DSAccessDC

omitpathlist_ecr.txt Contains a list of AD paths Path


to be excluded from change
For example:
reports.
*\Microsoft Exchange System
Objects\SystemMailbox*

omitproplist_ecr.txt Contains a list of object object_type.property_name


types and properties to be
excluded from change NOTE: If there is no separator (.) between
reports. an object type and a property, the
whole entry is treated as an object
type.

For example:
msExchSystemMailbox.*
*.msExchEdgeSyncCredential
*.msExchMailboxMoveTargetMDBLink
*.adminDescription

omitreporterrors_ecr.txt Contains a list of errors to Error message text


be excluded from Activity
For example, to omit the error “The HTTP
Summaries.
service used by Public Folders is not
available, possible causes are that Public
stores are not mounted and the
Information Store service is not running. ID
no: c1030af3”, add *c1030af3* to the file.

omitexchangeserverlist.txt Defines Exchange 2010 and FQDN_server_name


above servers to be
For example:

167/211
Netwrix Auditor Administration Guide

10. Additional Configuration

File Description Syntax

excluded from data mailserver01.ent.local


collection.

Specify Exchange servers Syntax: host name or FQDN of Exchange


that you want to exclude server
from data collection and
Each entry must be a separate line.
reporting
Wildcards (*) can be used to replace any
number of characters. Use them to exclude
multiple servers. # # For example: #
exchangesrv01 # *.domain

omitstorelist_ecr.txt Contains a list of classes object_type.property_name


and attributes names to be
excluded from Exchange NOTE: If there is no separator (.) between
snapshots. an object type and a property, the
whole entry is treated as an object
type.

For example:
Exchange_
Server.AdministrativeGroup
Exchange_
Server.AdministrativeNote
Exchange_Server.CreationTime

propnames_ecr2007.txt Contains a list of human- classname.attrname=


readable names for object intelligiblename
classes and attributes of For example:
Exchange 2007 to be
msExchMDBAvailabilityGroup=
displayed in change reports.
Database Availability Group

To exclude users or mailboxes from the Mailbox Access monitoring scope

Netwrix Auditor allows specifying users and mailboxes that you do not want to monitor for non-owner
mailbox access events. To do this, edit the mailboxestoexclude.txt , userstoexclude.txt , and
agentomitusers.txt files.

1. Navigate to the %Netwrix Auditor installation folder%\Non-owner Mailbox Access Reporter for
Exchange folder.

2. Edit mailboxestoexclude.txt , userstoexclude.txt , or agentomitusers.txt files, based on the


following guidelines:

168/211
Netwrix Auditor Administration Guide

10. Additional Configuration

l Each entry must be a separate line.

l Wildcards (* and ?) are supported.

l Lines that start with the # sign are treated as comments and are ignored.

NOTE: You can also limit your reports by specific mailboxes. Edit the mailboxestoinclude.txt file to
specify mailboxes.

File Description Syntax

mailboxestoexclude.txt This file contains a list of Each entry must be a separate line. Wildcards
mailboxes and folders (*) can be used to replace any number of
that must be excluded characters.
from data collection.
l To exclude the certain user's mailbox,
enter username@domainname ,
[email protected]

l To exclude the certian folder, enter


username@domainname/foldername ,
e.g. [email protected]/Drafts

l Use *to exclude multiple mailboxes or


folders, e.g. */foldername will exclude
the specified folder when processing all
mailboxes.

Examples:
*admin*@corp.com

*/Drafts - exclude Drafts folder (for all


mailboxes)

*/Testfolder/* - exclude subfolders of


Testfolder (for all mailboxes)

mailboxestoinclude.txt This file contains a list of Specify email address to be included in the list
mailboxes that must be as username@domainname.
included when collecting
Example: [email protected]
data.

NOTE: For the mailboxes


added to this list,
the reports will
contain only non-
owner access
events.

169/211
Netwrix Auditor Administration Guide

10. Additional Configuration

File Description Syntax

userstoexclude.txt This file contains a list of DOMAIN\username


users who must be
excluded from reports if
they perform non-owner
access attempt for
mailboxes (audit data on
these users will still be
stored in the state-in-time
snapshots).

NOTE: If a user is
removed from this
list, the
information on
this user’s actions
can be viewed with
the Report Viewer.

agentomitusers.txt This file contains a list of DOMAIN\username


users who must be
excluded from reports
and snapshots.

NOTE: If a user is
removed from this
list, audit data on
this user will only
be available after
the next data
collection. Writing
new users to this
file affects reports
and snapshots
only if Network
traffic
compression is
enabled.

170/211
Netwrix Auditor Administration Guide

10. Additional Configuration

10.1.4. Exclude Data from Exchange Online Monitoring


Scope
You can fine-tune Netwrix Auditor by specifying data that you want to exclude from the Exchange Online
monitoring scope.

To exclude data from Exchange Online monitoring scope

1. Navigate to the %Netwrix Auditor installation folder%\Exchange Online Auditing folder.

2. Edit the *.txt files, based on the following guidelines:

l Each entry must be a separate line.

l A wildcard (*) is supported. You can use * for cmdlets and their parameters.

l Lines that start with the # sign are treated as comments and are ignored.

File Description Syntax

omitlist.txt The file contains a list of cmdlet


changes performed by
For example:
cmdlets. To exclude a
change from reports, Enable-OrganizationCustomization
search results and Activity New-AdminAuditLogSearch
Summaries, specify name
New-MailboxAuditLogSearch
of a cmdlet and the
attribute that is changed cmdlet.param
by the selected cmdlet. For example:
*.Identity
*.DomainController
*.Organization
*.IgnoreDefaultScope
*.Force
*.Confirm
*.Password
*-ManagementRoleEntry.Parameters
Remove-PublicFolder.Recurse

omitpathlist.txt Contains a list of paths to path


be excluded from reports,
For example:
search results and Activity
Summaries. SystemMailbox{*}
DiscoverySearchMailbox{*}

171/211
Netwrix Auditor Administration Guide

10. Additional Configuration

File Description Syntax

FederatedEmail.*

NOTE: You can use a wildcard (*) to replace


any number of characters in the path.

omituserlist.txt Contains a list of user domain\user


names to be excluded
For example:
from reports, search
results and Activity Enterprise\analyst
Summaries. email address

For example:
[email protected]

propnames.txt Contains a list of human- cmdletobject=friendlyname


readable names for object cmdlet.param=friendlyname
classes and their and their
properties to be displayed For example:
in search results, reports RoleGroupMember = Role Group
and Activity Summaries.
UMHuntGroup = Unified Messaging
Hunt Group

10.1.5. Exclude Data from File Servers Monitoring Scope


You can fine-tune Netwrix Auditor by specifying data that you want to exclude from the Windows File
Server, NetApp Filer and EMC Storage monitoring scope.

To exclude data from Windows File Server, NetApp Filer and EMC Storage monitoring scope

1. Navigate to the %Netwrix Auditor installation folder%\File Server Auditing folder.

2. Edit the *.txt files, based on the following guidelines:

l Each entry must be a separate line.

l Wildcards (*, ?) are supported. For example, you can use * for a class name to specify an
attribute for all classes.

l Lines that start with the # sign are treated as comments and are ignored.

l A backslash (\) must be put in front of (*), (?) and (,) if they are a part of an entry value.

File Description Syntax

omitcollectlist.txt Contains a monitoring plan name,server name, resource path

172/211
Netwrix Auditor Administration Guide

10. Additional Configuration

File Description Syntax

list of NOTE: Wildcards are not supported for the Server Name field.
objects to To disable filtering for this field, specify an empty string.
be
For example:
excluded
from being *,,\\\\*\\System Volume Information*
monitored.

omiterrors.txt Contains a monitoring plan name,server name,error text


list of
For example:
errors and
warnings to *,productionserver1.corp.local, *Access is
denied*
be omitted
from
logging to
the Netwrix
Auditor
System
Health
event log.

omitreportlist.txt Contains a monitoring plan name,action,who,object


list of type,resource path,property name
objects to
be NOTE: Wildcards are not supported for the action and
excluded property name fields. To disable filtering for these
from fields, specify an empty string.
reports and
For example:
Activity
Summary *,,CORP\\jsmith,*,*,
emails. In
this case
audit data
is still being
collected.

omitstorelist.txt Contains a monitoring plan name,action,who ,object


list of type,resource path,property name
objects to
be NOTE: Wildcards are not supported for the Change Type and
excluded Property Name fields. To disable filtering for these
from being fields, specify an empty string.
stored to
For example:
the

173/211
Netwrix Auditor Administration Guide

10. Additional Configuration

File Description Syntax

AuditArchiv *,,*,*,\\\\productionserver1.corp.local\\build
e and s\\*, Attributes
showing up
in reports.
In this case
audit data
is still being
collected.

omitstoreprocesslist.t Contains a monitoring plan name,resource path, executable


xt list of path
processes
to be
excluded NOTE: Only local applications can be excluded.
from being
stored to For example:
the *,*,*notepad.exe
AuditArchiv
e and
showing up
in reports.

10.1.6. Exclude Oracle Database Users from Monitoring


Scope
You can fine-tune Netwrix Auditor by specifying users that you want to exclude from the Oracle Database
monitoring scope.

To exclude data from the Oracle Database monitoring scope

1. In Netwrix Auditor, navigate to your Oracle Database monitoring plan and click Edit.

2. In the right pane, select Edit data source.

3. Navigate to Users tab and click Add next to Exclude.

4. In the Add User dialog, type name of the user you want to exclude and select its type (OS user or
Database user).

5. Click Add to exclude selected user from being monitored.

174/211
Netwrix Auditor Administration Guide

10. Additional Configuration

10.1.7. Exclude Data from SharePoint Monitoring Scope


You can fine- tune Netwrix Auditor by specifying data that you want to exclude from the SharePoint
monitoring scope.

To exclude data from SharePoint monitoring scope

1. Navigate to the %ProgramData%\Netwrix Auditor\Netwrix Auditor for SharePoint\Configuration\ folder


and locate your monitoring plan.

NOTE: If you have several monitoring plans for monitoring SharePoint farms, configure omitlists for
each monitoring plan separately.

2. Edit the *.txt files, based on the following guidelines:

l Each entry must be a separate line.

l A wildcard (*) is supported, except for omiteventloglist.txt.

l Lines that start with the # sign are treated as comments and are ignored.

File Description Syntax

omiteventloglist.txt Contains a list of event event ID


IDs to be excluded from
For example:
the Netwrix Auditor
System Health event log. 1001

NOTE: Only add known error or warning


events, otherwise you may lose
important data.

omitscreadaccesslist.txt Contains a list of site http(s)://URL


collections for which the
product will not monitor NOTE: Enter the root web site URLs.
read access attempts.
If you have alternate access mapping
configured in your SharePoint farm,
and one web application has different
URLs for different zones, you can use
any of these URLs to specify a child
site collection.

For example:
http://sharepointsrv:3333/

omitscstorelist.txt Contains a list of site http(s)://URL


collections to be excluded
from audit data collection. NOTE: Enter the root web site URLs.

175/211
Netwrix Auditor Administration Guide

10. Additional Configuration

File Description Syntax

If you have alternate access mapping


configured in your SharePoint farm,
and one web application has different
URLs for different zones, you can use
any of these URLs to specify a child
site collection.

For example:
https://siteColl*

omitsitscstorelist.txt Lists site collections to http(s)://URL


exclude from being
monitored and reported NOTE: Enter root web site URLs.
in state-in-time report. If you have alternate access mapping
configured in your SharePoint farm,
and one web application has different
URLs for different zones, you can use
any of these URLs to specify a child
site collection.

You can use a wildcard (*) to replace


any number of characters.

Examples:
http://siteCollection1:3333/
https://siteColl*

omitsitstorelist.txt Contains SharePoint lists URI Reference


and list items that you
want to exclude from NOTE: URI Reference does not include site
being audited. collection URL. For example, to
exclude the list item with URL
http://sitecollection/list/document.docx
, specify only " list/document.docx "
instead of full URL.

Wildcard (*) is supported to replace


any number of characters.

Examples:
*list/document.docx
*/_catalogs/*
*/_vti_inf.html
*/Style Library*

176/211
Netwrix Auditor Administration Guide

10. Additional Configuration

File Description Syntax

*/SitePages*

omituserviewstorelist.txt Contains a list of user or Login name


service accounts to be For example:
excluded from read
access monitoring. SHAREPOINT\System

omitviewstorelist.txt Contains lists and list URI Reference


items to be excluded from
being monitored for read NOTE: Only specify URI reference to a list or
access. list item without
https:\\<siteCollection_
name> part.

For example:
*list/document.docx

omitwastorelist.txt Contains a list of web http(s)://URL


applications to be
excluded from audit data NOTE: Enter the root web site URLs. If you
collection. have alternate access mapping
configured in your SharePoint farm,
and one web application has different
URLs for different zones, you can use
any of these URLs.

For example:

http://webApplication1:3333/

10.1.8. Exclude Data from SharePoint Online Monitoring


Scope
You can fine-tune Netwrix Auditor by specifying data that you want to exclude from the SharePoint Online
monitoring scope.

To exclude data from SharePoint Online monitoring scope

1. Navigate to the %ProgramData%\Netwrix Auditor\Netwrix Auditor for SharePoint


Online\Configuration\ folder and locate your monitoring plan.

NOTE: If you have several monitoring plans for monitoring SharePoint Online, configure omitlists for
each monitoring plan separately.

2. Edit the *.txt files, based on the following guidelines:

177/211
Netwrix Auditor Administration Guide

10. Additional Configuration

l Each entry must be a separate line.

l A wildcard (*) is supported, except for omiteventloglist.txt.

l Lines that start with the # sign are treated as comments and are ignored.

File Descriptio Syntax


n

omitstorelist.txt Contains https://URL


a list URLs
For example:
of
SharePoi https://Corp.sharepoint.com/*
nt Online
objects to
be
excluded
from
audit data
collection.

omiteventloglist.txt Contains event ID


a list of
For example:
event IDs
to be 1001
excluded
from the NOTE: Only add known error or warning events, otherwise you
Netwrix may lose important data.
Auditor
System
Health
event log.

omitreadstorelist.txt Contains https://URL


the
For example:
SharePoi
nt Online https://Corp.sharepoint.com/*
lists, *list/document.docx
documen
ts, etc., to
be
excluded
from
being
monitore
d for read
access.

178/211
Netwrix Auditor Administration Guide

10. Additional Configuration

File Descriptio Syntax


n

omituserreadstorelist Contains Provide user name in the UPN format.


.txt a list of
For example:
user
accounts account@example.*.com
to be
excluded
from read
access
monitorin
g.

OmitSitScStoreList.tx Contains Enter root web site URLs.


t a list of
For example:
SharePoi
nt Online https://URL
site
collection
s to be
excluded
from
state-in-
time data
collection.

OmitSitStoreList.txt Contains Enter URI (Unique resource identifier, or endpoint) reference. Note
SharePoi that URI Reference does not include site collection URL.
nt Online
For example, to exclude a list item with the
lists and https://sitecollection.sharepoint.com/list/docume
list items
nt.docx, URL, you should specify the corresponding endpoint
to be
(URI), i.e. list/document.docx.
excluded
from
state-in-
time data
collection.

10.1.9. Exclude Data from SQL Server Monitoring Scope


You can fine- tune Netwrix Auditor by specifying data that you want to exclude from the SQL Server
monitoring scope.

179/211
Netwrix Auditor Administration Guide

10. Additional Configuration

To exclude data from the SQL Server monitoring scope

1. Navigate to the %Netwrix Auditor install folder%\SQL Server Auditing folder.

2. Edit the *.txt files, based on the following guidelines:

l Each entry must be a separate line.

l A wildcard (*) is supported.

l Lines that start with the # sign are treated as comments and are ignored.

File Description Syntax

omitarlist.txt Lists activity records Monitoring plan name,


you want to exclude SQL Server instance,object type,
from showing up in account,workstation,application name
reports, search, and
activity summaries. NOTE: Wildcard (*) is supported and can replace any
number of characters.
NOTE: This .txt file has
no effect on For the account, workstation, application name
SQL logons fields, you can specify a mixed expression that
monitoring. To contains both a value and a wildcard (e.g.,
exclude SQL Admin*).
logons from For example:
being
SQLPlan,Ent-SQL,Table,guest,WksSQL,MyInternalApp
monitored, use
the
omitlogonlist.txt
.

omitlogonlist.txt Contains a list of monitoring plan name,SQL Server


logons to be excluded instance,logon
type,account,workstation,application name
from being monitored.

NOTE: For the account, workstation, application


name fields, you can specify a mixed expression
that contains both a value and a wildcard (e.g.,
Admin*).

The following logon types are supported:

l NtLogon —Successful logon attempt made


through Windows authentication.

l SqlLogon — Successful logon attempt made


through SQL Server authentication.

l NtFailedLogon — Failed logon attempt made


through Windows authentication.

180/211
Netwrix Auditor Administration Guide

10. Additional Configuration

File Description Syntax

l SqlFailedLogon — Failed logon attempt made


through SQL Server authentication.

For example:
DB_M0,Ent-
SQL,SQLFailedLogon,guest,WksSQL,MyInternal
App

omitobjlist.txt Contains a list of object_type_name


object types to be
For example:
excluded from Activity
Summaries and Database
reports. Column

NOTE: This .txt file has


no effect on
SQL logons
monitoring.
Use the
omitlogonlist.t
xt to exclude
SQL logons
from being
monitored.

omitpathlist.txt Contains a list of Server_instance:resource_path


resource paths to the
where resource_path is shown in the What column in
objects to be excluded
the reports.
from Activity
Summaries and For example, to exclude information about databases
reports. In this case whose names start with "tmp" on the SQL Server
data is still being instance "PROD.SQL2012":
collected and saved to PROD.SQL2012:Databases\tmp*.
the AuditArchive.

omitproplist.txt Contains a list of object_type_name.property_name.attribute_


attributes to be name
excluded from being where:
monitored and stored
to the AuditArchive. l object_type_name —Can be found in the found
in the Object Type column in change reports.

l property_ name — Can be found in the Details


column (property name is bold).

181/211
Netwrix Auditor Administration Guide

10. Additional Configuration

File Description Syntax

l attribute_ name — Can be found in the Details


column (attribute name is not bold).

If an object does not have an attribute name, use


the * character.

For example to exclude information about the Size


attribute of the Database File property in all databases:
Database.Database File.Size.

omitstorelist.txt Contains a list of server_instance.resource_path


objects you want to
where resource_path is shown in the What column in
exclude from being
the reports.
stored to the
AuditArchive.

NOTE: This .txt file has


no effect on
SQL logons
auditing. Use
the
omitlogonlist.t
xt to exclude
SQL logons
from being
audited.

omittracelist.txt Contains a list of SQL server\instance name


Server instances you
do not want to enable
SQL tracing on.

In this case the "Who",


"Workstation" and
"When" values will not
be reported correctly
(except for content
changes).

NOTE: If you enabled


monitoring of
SQL logons,
SQL trace for
these logons

182/211
Netwrix Auditor Administration Guide

10. Additional Configuration

File Description Syntax

will be created
anyway.

pathtotracelogs.t Contains a list of SQL SQLServer\Instance|UNC path


xt Server instances
For example:
whose traces must be
stored locally. server\instance|C:\Program Files\Microsoft
SQL Server\MSSQL\LOG\

propnames.txt Contains a list of object_type_name.property_


human-readable name=friendlyname
names for object types For example:
and properties to be
*.Date modified=Modification Time
displayed in the
change reports.

10.1.10. Exclude Data from VMware Monitoring Scope


You can fine-tune Netwrix Auditor by specifying various data types that you want to exclude/include
from/in the VMware reports.

To exclude data from VMware monitoring scope

1. Navigate to the %Netwrix Auditor installation folder%\VMware Auditing folder.

2. Edit the *.txt files, based on the following guidelines:

l Each entry must be a separate line.

l A wildcard (*) is supported. For example, you can use * for a class name to specify an attribute
for all classes.

l Lines that start with the # sign are treated as comments and are ignored.

File Description Syntax

omitproplist.txt Contains a list of object object_type.property_name


types and properties to be
excluded from change NOTE: If there is no separator (.) between an
reports. object type and aproperty, the whole
entry is treated as an object type.

For example, to exclude the


config.flags.monitorType property from
reports, add the following line:
*.config.flags.monitorType.

183/211
Netwrix Auditor Administration Guide

10. Additional Configuration

File Description Syntax

hidepropvalues.txt Contains a list of object object_type.property_name=property_


types and properties to be value:object_type.hidden_property
excluded from the reports
For example, to exclude the
when the property is set to
config.cpuAllocation.shares.level property
certain value.
when it equals to "Low", add the following line:
*.config.cpuAllocation.shares
.level=low:
*.config.cpuAllocation.shares.shares
.

proplist.txt Contains a list of human- inner_type:object_


readable names for object type.property=intelligiblename
types and properties to be
displayed in the reports. NOTE: Inner_type is optional.

For example, if you want the configStatus


property to be displayed in the reports as
Configuration Status, add the following line:
*.configStatus=Configuration Status.

omitstorelist.txt Contains a list of objects to Monitoring plan name, who, where, object type,
be excluded from being what, property name, property value
saved to data storage and
For example, to exclude internal logons:
showing up in reports.
*,*,*,Logon,*,UserAgent,VMware vim-
NOTE: Audit data will still java*
be collected.
NOTE: The following characters must be
preceded with a backslash (\) if they are
a part of an entry value:
*
,
\
?

NOTE: Characters may be also specified with


hex value using \xnnnn template.

TIP: The spaces are trimmed. If they are


required, use hex notation. For example:
Word\x0020 where \x0020 (with
space at the end) means blank character.

184/211
Netwrix Auditor Administration Guide

10. Additional Configuration

10.1.11. Exclude Data from Windows Server Monitoring


Scope
You can fine-tune Netwrix Auditor by specifying data that you want to exclude from the Windows Server
monitoring scope.

To exclude data from the Windows Server monitoring scope

1. Navigate to the %Netwrix Auditor installation folder%\Windows Server Auditing folder.

2. Edit the *.txt files, based on the following guidelines:

l Each entry must be a separate line.

l Wildcards (* and ?) are supported. A backslash (\) must be put in front of (*), (?), (,), and (\) if they
are a part of an entry value.

l Lines that start with the # sign are treated as comments and are ignored.

File Description Syntax

omitcollectlist.txt Contains a list of objects monitoring plan name,server name,class


and their properties to be name,property name,property value
excluded from being
monitored. NOTE: class name is a mandatory parameter, it
cannot be replaced with a wildcard.
NOTE: If you want to property name and property value
restart monitoring are optional, but cannot be replaced with
these objects, wildcards either.
remove them from For example:
the
#*,server,MicrosoftDNS_Server
omitcollectlist.txt
and run data #*,*,StdServerRegProv
collection at least
twice.

omiterrors.txt Contains a list of monitoring plan name,server name,error


errors/warnings to be text
omitted from logging to For example:
the Netwrix Auditor
*,productionserver1.corp.local,*Access
System Health event log.
is denied*

omitreportlist.txt Contains a list of objects to monitoring plan name,who,where,object


be excluded from reports type,what,property name
and Activity Summary
For example:
emails. In this case audit
data is still being collected. *,CORP\\jsmith,*,*,*,*

185/211
Netwrix Auditor Administration Guide

10. Additional Configuration

File Description Syntax

omitsitcollectlist Contains a list of objects to monitoring planname,server name,class


be excluded from State-in- name,property name,property value
time reports.
NOTE: class name is a mandatory parameter, it
cannot be replaced with a wildcard.
property name and property value
are optional, but cannot be replaced with
wildcards either.

For example:
*,server,MicrosoftDNS_Server
*,*,StdServerRegProv

omitstorelist.txt Contains a list of objects to monitoring plan name,who,where,object


be excluded from being type,what,property name
stored to the AuditArchive
For example:
and showing up in reports.
In this case audit data is *,*,*,Scheduled task,Scheduled
still being collected. Tasks\\User_Feed_Synchronization*,*

10.1.12. Exclude Data from Event Log Monitoring Scope


You can fine- tune Netwrix Auditor by specifying data that you want to exclude from the Event Log
monitoring scope.

To exclude data from the Event Log monitoring scope

1. Navigate to the %Netwrix Auditor installation folder%\Event Log Management folder.

2. Edit the *.txt files, based on the following guidelines:

l Each entry must be a separate line.

l Wildcards (* and ?) are supported.

l Lines that start with the # sign are treated as comments and are ignored.

File Description Syntax

OmitErrorsList.txt Contains a list of data Error text


collection errors and warnings
to be excluded from the
Netwrix Auditor System
Health event log.

186/211
Netwrix Auditor Administration Guide

10. Additional Configuration

File Description Syntax

omitServerList.txt Contains a list of server names ip address or server name


or servers IP addresses to be
For example:
excluded from processing.
192.168.3.*

10.1.13. Exclude Data from Group Policy Monitoring Scope


You can fine-tune Netwrix Auditor by specifying data that you want to exclude from the Group Policy
monitoring scope. To do it, edit the omitobjlist_gp.txt, omitproplist_gp.txt and omituserlist_gp.txt files.

To exclude data from the Group Policy monitoring scope

1. Navigate to the %Netwrix Auditor installation folder%\Active Directory Auditing folder.

2. Edit omitobjlist_ gp.txt , omitproplist_ gp.txt and omituserlist_ gp.txt files, based on the following
guidelines:

l Each entry must be a separate line.

l A wildcard (*) is supported and can be used to replace any number of characters.

l Lines that start with the # sign are treated as comments and are ignored.

File Description Syntax

omitobjlist_gp.txt The file contains a list of the <object name>


Group Policy Object (GPO)
For example, to exclude changes to the
names to be excluded from
Default Domain Policy GPO, add the
change reports.
following line: Default Domain
Policy.

omitproplist_gp.txt The file contains a list of the <settingname>


Group Policy Object settings to
For example, to exclude data on
be excluded from change
changes made to the Maximum
reports.
password length setting, add the
following line: Maximum password
length.

omituserlist_gp The file contains a list of user <domain\user>


names to be excluded from
For example, to exclude changes made
change reports.
by the user “usertest” in the domain
“domaintest”, add the following line:
domaintest\usertest.

187/211
Netwrix Auditor Administration Guide

10. Additional Configuration

10.1.14. Exclude Data from Inactive Users Monitoring Scope


You can fine-tune Netwrix Auditor by specifying data that you want to exclude from the Inactive User
monitoring scope.

To exclude data from the Inactive Users monitoring scope

1. Navigate to the %ProgramData%\Netwrix Auditor\Inactive Users Tracker folder.

2. Edit the *.txt files, based on the following guidelines:

l Each entry must be a separate line.

l Wildcards (* and ?) are supported.

l Lines that start with the # sign are treated as comments and are ignored.

File Description Syntax

filter.txt Contains a list of accounts to Username


be excluded from processing.

omitdclist.txt Contains a list of domain Full DNS name or NetBIOS name


controllers to be excluded
from processing. NOTE: IP addresses are not supported.

Netwrix Auditor skips all


automated deactivation
actions for inactive accounts
(disable, move, delete) even if
one domain controller is
unavailable during scheduled
task execution. Add the
unavailable domain controllers
to this file to ensure Netwrix
Auditor functions properly.

omitoulist.txt Contains a list of Path


organizational units to be
For example:
excluded from processing.
*OU=C,OU=B,OU=A*

10.1.15. Exclude Data from Logon Activity Monitoring Scope


You can fine-tune Netwrix Auditor by specifying data that you want to exclude from the Logon Activity
monitoring scope.

188/211
Netwrix Auditor Administration Guide

10. Additional Configuration

To exclude data from the Logon Activity monitoring scope

1. Navigate to %ProgramData%\Netwrix Auditor\NLA\Settings\ folder and locate your monitoring plan.

NOTE: If you have several monitoring plans for monitoring Logon Activity, configure omitlist for each
monitoring plan separately.

2. Edit the Settings.cfg file based on the following guidelines:

l Each entry must be a separate line.

l Wildcards (* and ?) are supported. A backslash (\) must be put in front of (*) and (?) if they are a
part of an entry value.

l Lines that start with <!-- are treated as comments and are ignored.

Configuration String Description Syntax

<n Contains a list of DC_name


n="DCOmitList"> DCs to be excluded For example:
from being
<v v= "*ROOTDC1*"/>
monitored.

<n n="Hubs"> Determines <n n="localhost">


whether to enable <a n="DCWithCompressionService" t="258">
network traffic <v v="DomainControllerNameInFQDNFormat1"/>
compression for a
</a>
Domain Controller
<a n="DCWithoutCompressionService" t="258">
or not.
<v v="DomainControllerNameInFQDNFormat2"/>
NOTE: If </a>
configured, <a n="DataCollectionIntervalInSeconds"
overrides v="0"/>
the Enable </n>
network
</n>
traffic
compressio
n option in
monitoring
plan
configuratio
n.

<n Contains a list of User name


n="UserOmitList">
users to be For example:
<a n="Names"> excluded from
<v v="*NT AUTHORITY*"/>
being monitored.

189/211
Netwrix Auditor Administration Guide

10. Additional Configuration

Configuration String Description Syntax

Allows specifying a
user by name.

<a n="SIDs"> Contains a list of User SID


users to be For example:
excluded from
<v v="*S-1-5-21-1180699209
being monitored.
Allows specifying a -877415012-318292XXXX-XXX*"/>
user by security
identifier (SID).

NOTE: The file must be formatted in accordance with XML standard. The following symbols must be
replaced with corresponding XML entities: & (ampersand), " (double quotes), ' (single quotes),
< (less than), and > (greater than) symbols.

Symbol XML entity

& &amp;

e.g., Ally & Sons e.g., Ally &amp; Sons

" &quot;

e.g., Domain1\Users\"Stars" e.g., Domain1\Users\&quot;Stars&quot;

' &apos;

e.g., Domain1\Users\O'Hara e.g., Domain1\Users\O&apos;Hara

< &lt;

e.g., CompanyDC< 100 e.g., CompanyDC&lt;100

> &gt;

e.g., ID> 500 e.g., ID&gt;500

10.1.16. Exclude Data from Password Expiration Monitoring


Scope
You can fine-tune Netwrix Auditor by specifying data that you want to exclude from monitoring and
alerting on password expiration.

190/211
Netwrix Auditor Administration Guide

10. Additional Configuration

To exclude data from the Password Expiration Alerting monitoring scope

1. Navigate to the %Netwrix Auditor install folder%\Password Expiration Alerting folder.

2. Edit the omitoulist.txt file, based on the following guidelines:

l Each entry must be a separate line.

l A wildcard (*) is supported.

l Lines that start with the # sign are treated as comments and are ignored.

File Description Syntax

omitoulist.txt Contains a list of Path


organizational units to be
For example:
excluded from processing.
*OU=C,OU=B,OU=A*

10.2. Fine-tune Netwrix Auditor with Registry Keys


You can fine-tune Netwrix Auditor using the registry keys as described below. This functionality is currently
available for the following data sources:

l Registry Keys for Monitoring Active Directory

l Registry Keys for Monitoring Exchange

l Registry Keys for Monitoring File Servers

l Registry Keys for Monitoring Windows Server

l Registry Keys for Monitoring Event Log

l Registry Keys for Monitoring Group Policy

l Registry Keys for Monitoring Password Expiration

l Registry Keys for Monitoring Inactive Users

l Registry Keys for Monitoring Logon Activity

10.2.1. Registry Keys for Monitoring Active Directory


Review the basic registry keys that you may need to configure for monitoring Active Directory with Netwrix
Auditor. Navigate to Start → Run and type "regedit".

Registry key (REG_DWORD type) Description / Value

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Netwrix Auditor\AD Change Reporter

191/211
Netwrix Auditor Administration Guide

10. Additional Configuration

Registry key (REG_DWORD type) Description / Value

CleanAutoBackupLogs Defines the retention period for the security log backups:

l 0—Backups are never deleted from Domain controllers

l [X]— Backups are deleted after [X] hours

IgnoreAuditCheckResultError Defines whether audit check errors should be displayed in the


Activity Summary footer:

l 0—Display errors

l 1—Do not display errors

IgnoreRootDCErrors Defines whether to display audit check errors for the root domain
(when data is collected from a child domain) in the Activity
Summary footer:

l 0—Display errors

l 1—Do not display errors

LogonResolveOptions Defines what will be shown in the Workstation field:

l 2—MAC address

l 4—FQDN or IP address (set by default)

l 6—Both

MonitorModifiedAndRevertedBack Defines whether the Activity Summary must display the attributes
whose values were modified and then restored between data
collections:

l 0—These attributes are not displayed

l 1—These attributes are displayed as "modified and reverted


back"

ShortEmailSubjects Defines whether to contract the email subjects:

l 0—No

l 1—Yes

ProcessBackupLogs Defines whether to process security log backups:

l 0—No

l 1—Yes

NOTE: Even if this key is set to "0" , the security log backups will
not be deleted regardless of the value of the

192/211
Netwrix Auditor Administration Guide

10. Additional Configuration

Registry key (REG_DWORD type) Description / Value

CleanAutoBackupLogs key.

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Netwrix Auditor\AD Change


Reporter\<monitoring plan name>

CollectLogsMaxThreads Defines the number of Domain Controllers to simultaneously


start log collection on.

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Netwrix Auditor\Management
Console\Database settings

SqlOperationTimeout Defines the timeout for executing SQL queries such as data
selection, insertion or deletion (in seconds).

timeout Defines the Audit Database connection timeout (in seconds).

10.2.2. Registry Keys for Monitoring Exchange


Review the basic registry keys that you may need to configure for monitoring Exchange with Netwrix
Auditor. Navigate to Start → Run and type "regedit".

Registry key (REG_DWORD type) Description / Value

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Netwrix Auditor\AD Change Reporter

CleanAutoBackupLogs Defines the retention period for the security log backups:

l 0—Backups are never deleted from Domain controllers

l [X]— Backups are deleted after [X] hours

IgnoreAuditCheckResultError Defines whether audit check errors should be displayed in the


Activity Summary footer:

l 0—Display errors

l 1—Do not display errors

IgnoreRootDCErrors Defines whether to display audit check errors for the root domain
(when data is collected from a child domain) in the Activity
Summary footer:

l 0—Display errors

l 1—Do not display errors

LogonResolveOptions Defines what will be shown in the Workstation field:

193/211
Netwrix Auditor Administration Guide

10. Additional Configuration

Registry key (REG_DWORD type) Description / Value

l 2—MAC address

l 4—FQDN or IP address (set by default)

l 6—Both

ShortEmailSubjects Defines whether to contract the email subjects (e.g., Netwrix


Auditor: Activity Summary):

l 0—No

l 1—Yes

ProcessBackupLogs Defines whether to process security log backups:

l 0—No

l 1—Yes

NOTE: Even if this key is set to "0" , the security log backups will
not be deleted regardless of the value of the
CleanAutoBackupLogs key.

ShowReportFooter Defines whether to display the footer in the Activity Summary


email:

l 0—No

l 1—Yes

ShowReportGeneratorServer Defines whether to display the report generation server in the


Activity Summary footer:

l 0—No

l 1—Yes

ShowSummaryInFooter Defines whether to display the summary in the Activity Summary


footer:

l 0—No

l 1—Yes

ShowSummaryInHeader Defines whether to display the summary in the Activity Summary


header:

l 0—No

l 1—Yes

194/211
Netwrix Auditor Administration Guide

10. Additional Configuration

Registry key (REG_DWORD type) Description / Value

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Netwrix Auditor\AD Change


Reporter\<monitoring plan name>

CollectLogsMaxThreads Defines the number of Domain Controllers to simultaneously


start log collection on.

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Netwrix Auditor\Management
Console\Database settings

overwrite_datasource Defines whether to overwrite the database connection settings


(stored in the reports data source) if they differ from the SQL
server settings specified when configuring the monitoring plan:

l 0—No

l 1—Yes

SqlOperationTimeout Defines the timeout for executing SQL queries such as data
selection, insertion or deletion (in seconds).

timeout Defines the Audit Database connection timeout (in seconds).

10.2.3. Registry Keys for Monitoring File Servers


NOTE: Information in this section refers to EMC VNX and Isilon storage systems and NetApp filers older
than 8.3.2.

Review the basic registry keys that you may need to configure for monitoring file servers with Netwrix
Auditor. Navigate to Start → Run and type "regedit".

Registry key (REG_DWORD type) Description / Value

HKEY_ LOCAL_ MACHINE\SOFTWARE\WOW6432Node\Netwrix Auditor\File Server Change


Reporter

CleanAutoBackupLogs Defines the retention period for the security log backups:

l 0—Backups are never deleted from file servers

l [X]— Backups are deleted after [X] hours

ProcessBackupLogs Defines whether to process security log backups:

l 0—No

l 1—Yes

195/211
Netwrix Auditor Administration Guide

10. Additional Configuration

Registry key (REG_DWORD type) Description / Value

NOTE: Even if this key is set to "0" , the security log backups will
not be deleted regardless of the value of the
CleanAutoBackupLogs key.

10.2.4. Registry Keys for Monitoring Windows Server


Review the basic registry keys that you may need to configure for monitoring Windows Server with Netwrix
Auditor. Navigate to Start → Run and type "regedit".

Registry key (REG_DWORD type) Description / Value

HKEY_ LOCAL_ MACHINE\SOFTWARE\WOW6432Node\Netwrix Auditor\Windows Server Change


Reporter

CleanAutoBackupLogs Defines the retention period for the security log backups:

l 0—Backups are never deleted from Domain controllers

l [X]— Backups are deleted after [X] hours

ProcessBackupLogs Defines whether to process security log backups:

l 0—No

l 1—Yes

NOTE: Even if this key is set to "0" , the security log backups will
not be deleted regardless of the value of the
CleanAutoBackupLogs key.

10.2.5. Registry Keys for Monitoring Event Log


Review the basic registry keys that you may need to configure for monitoring event logs with Netwrix
Auditor. Navigate to Start → Run and type "regedit".

Registry key (REG_DWORD type) Description / Value

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\Netwrix Auditor\Event Log


Manager\<monitoring plan name>\Database Settings

ConnectionTimeout Defines SQL database connection timeout (in seconds).

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\Netwrix Auditor\Event Log


Manager\<monitoring plan name>\ElmDbOptions

196/211
Netwrix Auditor Administration Guide

10. Additional Configuration

Registry key (REG_DWORD type) Description / Value

BatchTimeOut Defines batch writing timeout (in seconds).

DeadLockErrorCount Defines the number of write attempts to a SQL database.

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\Netwrix Auditor\Event Log Manager

CleanAutoBackupLogs Defines the retention period for the security log backups:

l 0—Backups are never deleted from Domain controllers

l [X]— Backups are deleted after [X] hours

ProcessBackupLogs Defines whether to process security log backups:

l 0—No

l 1—Yes

NOTE: Even if this key is set to "0" , the security log backups will
not be deleted regardless of the value of the
CleanAutoBackupLogs key.

WriteAgentsToApplicationLog Defines whether to write the events produced by the Netwrix


Auditor Event Log Compression Service to the Application Log of
a monitored machine:

l 0—Disabled

l 1—Enabled

WriteToApplicationLog Defines whether to write events produced by Netwrix Auditor to


the Application Log of the machine where the product is installed:

l 0—No

l 1—Yes

10.2.6. Registry Keys for Monitoring Group Policy


Review the basic registry keys that you may need to configure for monitoring Group Policy with Netwrix
Auditor. Navigate to Start → Run and type "regedit".

Registry key (REG_DWORD type) Description / Value

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Netwrix Auditor\AD Change Reporter

CleanAutoBackupLogs Defines the retention period for the security log backups:

197/211
Netwrix Auditor Administration Guide

10. Additional Configuration

Registry key (REG_DWORD type) Description / Value

l 0—Backups are never deleted from Domain controllers

l [X]— Backups are deleted after [X] hours

GPOBackup Defines whether to backup GPOs during data collection:

l 0—No

l 1—Yes

GPOBackupDays Defines the backup frequency:

l 0—Backup always

l X—Once in X days

NOTE: GPOBackup must be set to "1".

IgnoreAuditCheckResultError Defines whether audit check errors should be displayed in the


Activity Summary footer:

l 0—Display errors

l 1—Do not display errors

IgnoreRootDCErrors Defines whether to display audit check errors for the root domain
(when data is collected from a child domain) in the Activity
Summary footer:

l 0—Display errors

l 1—Do not display errors

LogonResolveOptions Defines what will be shown in the Workstation field:

l 2—MAC address

l 4—FQDN or IP address (set by default)

l 6—Both

ShortEmailSubjects Defines whether to contract the email subjects (e.g., Netwrix


Group Policy Change Reporter: Summary Report – GPCR Report):

l 0—No

l 1—Yes

ProcessBackupLogs Defines whether to process security log backups:

l 0—No

198/211
Netwrix Auditor Administration Guide

10. Additional Configuration

Registry key (REG_DWORD type) Description / Value

l 1—Yes

NOTE: Even if this key is set to "0" , the security log backups will
not be deleted regardless of the value of the
CleanAutoBackupLogs key.

ShowReportFooter Defines whether to display the footer in the Activity Summary


email:

l 0—No

l 1—Yes

ShowReportGeneratorServer Defines whether to display the report generation server in the


Activity Summary footer:

l 0—No

l 1—Yes

ShowSummaryInFooter Defines whether to display the summary in the Activity Summary


footer:

l 0—No

l 1—Yes

ShowSummaryInHeader Defines whether to display the summary in the Activity Summary


header:

l 0—No

l 1—Yes

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Netwrix Auditor\AD Change


Reporter\<monitoring plan name>

CollectLogsMaxThreads Defines the number of Domain Controllers to simultaneously


start log collection on.

HKEY_ LOCAL_ MACHINE\SOFTWARE\WOW6432Node\Netwrix Auditor\ AD Change


Reporter\<monitoring plan name>\Database settings

SessionImportDays Defines the frequency of a full snapshot upload:

l X—Once in X days

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Netwrix Auditor\Management
Console\Database settings

199/211
Netwrix Auditor Administration Guide

10. Additional Configuration

Registry key (REG_DWORD type) Description / Value

overwrite_datasource Defines whether to overwrite the database connection settings


(stored in the reports data source) if they differ from the SQL
server settings specified when configuring the monitoring plan:

l 0—No

l 1—Yes

SqlOperationTimeout Defines the timeout for executing SQL queries such as data
selection, insertion or deletion (in seconds).

timeout Defines the Audit Database connection timeout (in seconds).

10.2.7. Registry Keys for Monitoring Password Expiration


Review the basic registry keys that you may need to configure for monitoring expiring passwords within
your Active Directory domain with Netwrix Auditor. Navigate to Start → Run and type "regedit".

Registry key (REG_DWORD type) Description / Value

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Netwrix Auditor\Password Expiration


Notifier

HideEmailAdditionalInfo Defines whether to show or hide the header and footer in emails
sent to users and their managers (emails sent to administrators
always have default header and footer):

l 0—Show

l Any other number—Hide

10.2.8. Registry Keys for Monitoring Inactive Users


Review the basic registry keys that you may need to configure for monitoring inactive users within your
Active Directory domain with Netwrix Auditor. Navigate to Start → Run and type "regedit".

Registry key (REG_DWORD type) Description / Value

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Netwrix Auditor\Inactive Users Tracker

HideEmailAdditionalInfo Defines whether to show or hide the header and footer in emails
sent to managers (emails sent to administrators always have
default header and footer):

200/211
Netwrix Auditor Administration Guide

10. Additional Configuration

Registry key (REG_DWORD type) Description / Value

l 0—Show

l Any other number—Hide

RandomPasswordLength Defines the length of a random password to be set for inactive


user.

WriteEventLog Defines whether to write events to the Application Log:

l 0—No

l 1—Yes

10.2.9. Registry Keys for Monitoring Logon Activity


Review the basic registry keys that you may need to configure for monitoring Logon Activity with Netwrix
Auditor. Navigate to Start → Run and type "regedit".

Registry key (REG_DWORD type) Description / Value

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\Netwrix Auditor\Logon Activity Auditing

ProcessBackupLogs Defines whether to process security log backups:

l 0—No

l 1—Yes

10.3. Automate Sign-in to Netwrix Auditor Client


Typically, when a user launches the Netwrix Auditor client, he or she must provide connection details. By
default, this step is skipped if you start the Netwrix Auditor client on computer that hosts Netwrix Auditor
Server. If you want to connect to an instance of Netwrix Auditor Server installed on another computer, you
must force the start page to show up. To do it, add special parameters to a product shortcut.

Users who frequently connect to different Netwrix Auditor Servers (e.g., MSP users) installed both locally
and remotely, may also leverage shortcuts to automate their sign-in process. The parameters pre-populate
the start page with connection details. For security reasons, the password must be typed by a user.

To create a shortcut that will start Netwrix Auditor client with pre-populated connection details

1. Navigate to the Netwrix Auditor client installation directory and locate the AuditIntelligence.exe (by
default, C:\Program Files (x86)\Netwrix Auditor\Audit Intelligence\AuditIntelligence.exe).

2. Create a shortcut for the executable.

201/211
Netwrix Auditor Administration Guide

10. Additional Configuration

3. Right-click a newly created shortcut and select Properties.

4. In the Target field you will see a path to your executable. Add the following parameters after the
path.
/s:server_name /u:user_name /specify_creds

where:

l server_name—Replace with Netwrix Auditor Server name (computer that hosts Netwrix
Auditor Server) or its IP address.

l user_name—Replace with a Netwrix Auditor user who wants to log in.

For example, the Target field will show:


"C:\Program Files (x86)\Netwrix Auditor\Audit Intelligence\Audit
Intelligence.exe" /s:host.corp.local /u:corp\analyst /specify_creds

5. Click Apply.

You can create as many shortcuts with different parameters as needed. When you click the shortcut, the
product will start with pre-populated connection details.

10.4. Customize Branding


Netwrix Auditor allows customizing look and feel of your reports, search subscriptions and exported search
results— you can skip Netwrix logo, add your company logo and title. Nonetheless, users are not
empowered to customize layout or color scheme.

Review the following for additional information:

l Customize Branding in AuditIntelligence Outputs

l Customize Branding in Reports

10.4.1. Customize Branding in AuditIntelligence Outputs


You can customize branding for the following AuditIntelligence outputs:

l Search results delivered as pdf file in the search subscription email;

l Search results exported to pdf file;

l Risk Assessment dashboard exported to pdf file;

l Risk Assessment dashboard delivered in the subscription email;

l Overview dashboard exported to pdf file;

l Overview dashboard delivered in the subscription email.

Rebranding limitations and requirements to logo file

202/211
Netwrix Auditor Administration Guide

10. Additional Configuration

1. Make sure you have full Netwrix Auditor installation: Netwrix Auditor Server and Client to enable
rebranding.

2. Since Netwrix applies company's logo as is, keep in mind reasonable limitations of your logo
dimensions. You can find examples of appropriate logo files in the rebranding archive (file Logo.png).
Re-size your logo and verify that subscriptions emails and pdf files look fine after rebranding.

3. Only PNG images can be used as logo files.

4. Endure that image file is located in the default directory or custom folder. Consider the following:

l For subscription emails, just put the logo file to %ALLUSERSPROFILE%\Netwrix Auditor\Branding\
and run the script to update email look and feel.

l For exported pdf files, make sure that the logo file is located in the default directory for each
user that is going to work with exported search results, Risk Assessment and Overview
dashboards. Otherwise, specify custom path to logo file. Default path to logo for exported files is
%LOCALAPPDATA%\Netwrix Auditor\Audit Intelligence\Resources\.

To customize branding

1. On the computer where the Netwrix Auditor Server is installed, navigate to


%ALLUSERSPROFILE%\Netwrix Auditor\ and locate the Rebranding.zip package.

2. Unzip the package to any folder on the computer where Netwrix Auditor Server is installed.

3. Run SearchRebranding.ps1 considering the following:

l Use default paths to logo files—Run the script and type your company name as the report_
title.

l Use custom paths to logo files—run the script as follows:


SearchRebranding.ps1 - subscriptions_ logo_ path <custom_ path> - export_
logo_path <custom_path>

4. Generate any test subscription email or export a dashboard to pdf file to verify that rebranding
applied.

NOTE: To restore original look and feel, run the script and replace"True " with "False " in the "enabled "
section.

10.4.2. Customize Branding in Reports


By default, Netwrix Auditor reports look as follows:

203/211
Netwrix Auditor Administration Guide

10. Additional Configuration

Report branding is customized on Netwrix Auditor Server side that means that all clients connected to this
server will have the same look and feel for reports.

To customize branding

1. On the computer where Netwrix Auditor Server resides, navigate to С:\Program Data\Netwrix
Auditor\Rebranding.

2. Right-click the Rebranding.ps1 script and select Edit. Windows PowerShell ISE will start.

3. Review the script and provide parameters.

Parameter Description

UseIntegratedSecurity Defines whether to use Windows Authentication when connecting


to SQL Server instance. Enabled by default.

UserName Defines a username used to connect to SQL Server instance in case


of SQL Server Authentication. Leave blank if you use Windows
Authentication.

Password Defines a password used to connect to SQL Server instance in case


of SQL Server Authentication. Leave blank if you use Windows
Authentication.

SQLServerInstance Defines a SQL Server instance where your Audit Database resides.
By default, local unnamed instance is selected.

DBName By default, the database responsible for Netwrix Auditor look and

204/211
Netwrix Auditor Administration Guide

10. Additional Configuration

Parameter Description

feel is Netwrix_CommonDB. If you renamed this database, provide


a new name.

HeaderImageFullPath Defines a full path to the png image with the new report header
(product logo). Supported size: 21x21px (WxH).

FooterImageFullPath Defines a full path to the png image with the new report footer
(logo). Supported size: 105x22px (WxH).

HeaderText Defines text in the report header. Max length: 21 characters.

FooterURL Defines URL that opens on clicking the report logo in the footer.

4. Click (Run Script). The user who runs the script is granted the db_owner role on the Netwrix_
CommonDB database.

After running the script, start the Netwrix Auditor client and generate a report. The branding will be
updated.

To restore original look and feel

1. On the computer where Netwrix Auditor Server resides, navigate to the script location.

2. Right-click a script and select Edit. Windows PowerShell ISE will start.

3. Run the script as it is. The user who runs the script must be granted the db_owner role on the
Common_DB database in a local unnamed SQL Server configured as default for Netwrix Auditor.

205/211
Netwrix Auditor Administration Guide

11. Appendix

11. Appendix
This section contains information out of the scope of Netwrix Auditor administration, but is beneficial to
Administrators to leverage full scope of the product capabilities. Review the following for additional
information:

l Network Traffic Compression

11.1. Network Traffic Compression


To reduce network traffic in distributed deployments, multi-site networks and other environments with
remote locations that have limited bandwidth, it is recommended to use network traffic compression. For
that purpose, special Netwrix utilities should be installed in the audited environment. These utilities will run
on the target computers (depending on your monitoring plan), collect, pre-filter data and send it to Netwrix
Auditor Server in a highly compressed format.

With network traffic compression, data from the target machines is collected simultaneously, providing for
network load balance and minimizing data collection time. (Unlike that, without network traffic
compression the target machines will be processed sequentially, i.e. one at a time.) So, network traffic
compression helps to increase scalability and optimize network traffic.

Its key capabilities are as follows:

l Allows Netwrix Auditor to collect detailed metrics for the servers, log files, hardware and individual
processes

l Collects audit data with no recognizable load on the server

l Communicates with Netwrix Auditor Server at predefined intervals, relaying data back to a central
repository for storage

Network traffic compression is available for the following data sources:

l Active Directory

l Exchange

l File Servers

l EMC

l NetApp

l Windows Server

l Event Logs

l Group Policy

l Logon Activity

206/211
Netwrix Auditor Administration Guide

11. Appendix

l SharePoint

l User Activity

To learn how to enable this feature, refer to the Settings for Data Collectionsection.

207/211
Netwrix Auditor Administration Guide

Index

Index Audit Database 115

Default settings 94

Audit, configure 123-124 , 126-127 , 129


A
AuditArchive
Active Directory
Investigations 100
Add data source 34
Automate sign-in 201
Exclude from auditing 161
Azure AD
Registry keys 191
Add data source 37
Roll back changes 156
Exclude from auditing 164
Activity Summary 89
B
Advanced configuration 160
Best practices
Advanced Configuration
Netwrork traffic compression 206
Audit archiving filters 142
Branding 202
Registry keys
Customize exported search results 202
Active Directory 191
Customize reports 203
Event logs 196
Browse audit data 91
Exchnage Server 193
C
File servers 195
Customize Netwrix Auditor client
Group Policy 197
Sign-in 201
Inactive Users 200
D
Logon Activity 201
Data Collection
Password Expiration 200
Launch data collection manually 88
Windows Server 196
Data sources 32
Alerts 148
Active Directory 34
Event Log
Azure AD 37
Create 145
EMC 42 , 75
Mailbox Access 150
Exchange 38
API 104
Exchange Online 40
Add data source 58
Group Policy 41

Logon Activity 46

208/211
Netwrix Auditor Administration Guide

Index

NetApp 42 , 75 Exclude from auditing 171

Netwrix API 58 F

Oracle Database 47 File Servers

SharePoint 48 Exclude from auditing 172

SharePoint Online 49 Registry keys 195

SQL Server 50 G

User Activity 52 Group Policy

VMware 54 Add data source 41

Windows File Servers 42 , 75 Exclude from auditing 187

Windows Server 55 Registry keys 197

Delegation 14 , 19 H

E Health Log 108-110 , 112 , 115

EMC Dashboard 119

Add data source 42 , 75 How it works 11

Exclude from auditing 172 I

Event Log Inactive User Tracker 129

Alerts Inactive Users in Active Directory 129

Create 145 Exclude from auditing 188

Audit archiving filters 142 Registry keys 200

Collect logs 138-139 Intelligence 91

DB_Importer 156 Investigations 100

Exclude data from auditing 186 Items 58

Registry keys 196 AD Container 60

Review Past Event Log Entries 156 Computer 62 , 64

Exchange Domain 64

Add data source 38 EMC Isilon 65

Exclude from auditing 166 EMC VNX/VNXe 67

Registry keys 193 Integration 86

Exchange Online IP Range 70

Add data source 40 NetApp 71

209/211
Netwrix Auditor Administration Guide

Index

Office 365 Tenant 77 Netwrix Auditor health 112

Oracle Database 78 Netwrix Auditor Health Log 108-110 , 112 , 115 ,


119
SharePoint Farm 78
Netwrix Auditor Health Status 115 , 117-118
SQL Server Instance 81
Netwrix Auditor System Health 148
VMware 82
Start Auditing System Health 145
Windows File Share 83
Netwrix Auditor tools
L
Event Log Manager 138
Launch 13
Inactive User Tracker 129
Licensing
Object Restore for Active Direcotry 156
Update licenses 104
Password Expiration Notifier 133
Logon Activity
O
Add data source 46
Omit lists
Omit lists 188
Active Directory 161
Registry keys 201
Azure AD 164
Long-Term Archive 117-118
Event logs 186
M
Exchange 166
Mailbox Access for Exchange
Exchange Online 171
Alerts 150
File Servers 172
Exclude users and mailboxes 168
Group Policy 187
Monitoring plan 112
Inactive Users in Active Directory 188
Add data source 32
Logon Activity 188
Add item 58
Mailbox Access 168
New 25
Oracle Database 174
Overview 24
Password Expiration in Active Directory 190
Settings 86
SharePoint 175
N

NDA 47 SharePoint Online 177

NetApp SQL Server 179

Add data source 42 , 75 VMware 183

Exclude data from auditing 172 Windows Server 185

210/211
Netwrix Auditor Administration Guide

Index

Oracle Database Settings 93

Add data source 47 Audit Database 94

Overview 8 Integrations 104

P Investigations 100

Password Expiration in Active Directory 133 Long-Term Archive 96

Exclude from auditing 190 Notifications 102

Registry keys 200 SharePoint

R Add data source 48

Registry keys Exclude from auditing 175

Active Directory 191 SharePoint Online

Event Log 196 Add data source 49

Exchnage 193 Exclude from auditing 177

File Servers 195 SMTP settings 102

Group Policy 197 SQL Server

Inactive Users in Active Directory 200 Add data source 50

Password Expiration in Active Directory 200 Exclude from reports 179

Windows Server 196 U

Reports Update status 88

Default settings 94 User Sessions

Import data to Audit Database 100 Add data source 52

RESTful API 104 V

Role-based access 14 VMware

Roles 14 Add data source 54

Assign 19 Exclude from auditing 183

Compare 15 W

Roll back changes Windows file servers

Active Directory Object Restore 156 Add data source 42 , 75

S Windows Server

Self-Audit 118 Add data source 55

Exclude data from reports 185

Registry keys 196

211/211

You might also like