Go Up
You are here: DeploymentAzure AD

Configure IT Infrastructure for Auditing and Monitoring

Netwrix Auditor relies on native logs for collecting audit data. Therefore, successful change and access auditing requires a certain configuration of native audit settings in the audited environment and on the computer where Netwrix Auditor Server resides. Configuring your IT infrastructure may also include enabling certain built-in Windows services, etc. Proper audit configuration is required to ensure audit data integrity, otherwise your change reports may contain warnings, errors or incomplete audit data.

You can configure your IT Infrastructure for monitoring in one of the following ways:

  • Automatically when creating a monitoring plan. This method is recommended for evaluation purposes in test environments.

  • Manually. The table below lists the native audit settings that must be adjusted manually to ensure collecting comprehensive and reliable audit data. You can enable Netwrix Auditor to continually enforce the relevant audit policies or configure them manually.
Data source Required configuration

Active Directory (including Group Policy)

AD FS

In the audited environment

To configure AD FS farm, you will need to enable AD FS audit settings and set up Windows audit policy:

  1. AD FS audit settings must be configured on the primary AD FS server, i.e. on the first server you have set up in the farm:
    • To configure audit of AD FS 3.0 on Windows Server 2012 R2, use the following PowerShell cmdlet:

    Set-AdfsProperties -LogLevel Errors,FailureAudits,Verbose,SuccessAudits,Warnings

    • To configure audit of AD FS 4.0 on Windows Server 2016 or AD FS 5.0 on Windows Server 2019, use the following PowerShell cmdlets:

    Set-AdfsProperties -LogLevel Errors,FailureAudits,Verbose,SuccessAudits,Warnings

    Set-AdfsProperties –AuditLevel Verbose

  2. Windows Audit policy must be configured on each server in the farm. For all Windows server versions:
    • Run the auditpol utility with the following parameters:
    • auditpol.exe /set /subcategory:"Application Generated" /failure:enable /success:enable

  3. Adjust log size and retention settings for Security log and for AD FS Admin log (under Applications and Service logs). See Adjusting Event Log Size and Retention Settings for details.
  4. NOTE: If AD FS Admin logging is disabled, you should enable it.

Azure AD

For Azure AD auditing, no special settings are required. However, remember to do the following:

  1. Configure data collecting account, as described in Configure Data Collecting Account.
  2. Configure required protocols and ports, as described in this table.

Exchange

Exchange Online

Remember to do the following:

  1. Check that Data Collection Account meets the requirements specified in Configure Data Collecting Account for Exchange Online. You may need to take the steps described in Assigning Office 365 Management Roles
  2. Configure required protocols and ports, as described in Protocols and Ports Required for Monitoring Office 365

Windows File Servers

EMC Isilon

EMC VNX/VNXe

NetApp

Nutanix File Server

  • To allow inbound connections to Netwrix Auditor server from Nutanix File Server, a TCP port must be open:
  • Target Nutanix File Server must be located in the same subnet as Netwrix Auditor Server and must be configured as described in the Configure Nutanix File Server for Monitoring section.
Network Devices
Oracle Database

SharePoint

SharePoint Online (including OneDrive for Business)

In the cloud:

No special configuration required.

Remember to do the following:

  1. Check that Data Collection Account meets the requirements specified in Configure Data Collecting Account for SharePoint Online. You may need to take the steps described in Assigning Azure AD Administrative Roles
  2. Configure required protocols and ports, as described in Protocols and Ports Required for Monitoring Office 365

SQL Server

No special configuration required.

NOTE: If you plan to audit an SQL Server for data changes and browse the results using 'Before' and 'After' filter values, make sure that the audited SQL database tables have a primary key (or a unique column). Otherwise, 'Before' and 'After' values will not be reported.

VMware

No configuration required

Windows Server (including DNS, DHCP and removable media)

Event Log (including Cisco)

IIS

Logon Activity

User Activity

Refer to the following topics for detailed instructions depending on the system you are going to audit:

Go Up