On a high level, the Netwrix Auditor data collection works as follows:
Once a monitoring plan is created, a data source is specified, and an item is added, Netwrix Auditor Server starts collecting data from the Active Directory domain or organizational unit, a server, a SharePoint farm, Office 365 tenant, or VMware Virtual Center, etc.
The first data collection gathers information on the data source's current configuration state. Netwrix Auditor uses this information as a benchmark to collect data on changes to the audited environment. After the first data collection has finished, an email notification is sent to the specified recipients stating that the analysis has completed.
For monitoring SharePoint farms and User Activity, Netwrix Auditor employs a different data collection method. It requires a Core Service to be installed on the monitored computers/SharePoint server. The Core Service starts collecting data immediately and does not require to run the first data collection to gather information on the data source's current configuration state. See See Network Traffic Compression for more information.
- For all data sources, the latest data collection status can be reviewed in any Netwrix Auditor client, remote or installed along with Netwrix Auditor Server. To do it, navigate to the monitoring plan which includes the data source whose data collection status you want to check. Review data collection status in the Status column. The status is updated automatically every time you navigate to the monitoring plan page.
- For most data sources, collected data is uploaded to the Audit Database every 10-30 minutes. After this period, it becomes available for search and reporting.
If a critical action is detected or a threshold is reached, an email notification—an alert—is sent to the specified recipients. Make sure you enabled one of the predefined alerts or configured your custom alerts. The alerts that are included in Behavior Anomalies assessment, appear in the Behavior Anomalies dashboard.
Typically, the product generates and sends an Activity Summary once a day (by default, 3 AM). The notification lists all activity that occurred during this period.
If the state-in-time functionality is enabled, Netwrix Auditor also writes a state-in-time snapshot of the data source's current state to the Audit Database. Typically, the full snapshot is written once a day, along with Activity Summary delivery and updated several times a day.
NOTE: This functionality is currently available for the following data sources:
- Active Directory
- File Servers
- Windows Server
- Group Policy