Go Up
You are here: AdministrationMonitored Object Types, Actions, and AttributesFile Servers

Object Types and Attributes Monitored on File Servers

Currently, there are some peculiarities of file servers data collection and reporting:

  1. For the Windows-based file servers running Windows Server 2008, NetApp appliances, and EMC storages, changes to file shares are reported without who. The following is displayed instead:
    • for Windows Server - "System"
    • for NetApp appliances - "System" or "Not applicable"
    • for EMC storages - "Not applicable"
  2. For storage systems mentioned above, Netwrix Auditor displays not the actual time when the event occurred but data collection time.
  3. If a file server is running Windows Server 2008 SP2, Netwrix Auditor may be unable to retrieve workstation name for failed read attempts.
  4. Due to Windows limitations, the copy/rename/move actions on remote file shares may be reported as two sequential actions: copy as adding a new file and reading the former file; renaming\moving as removing the former file and adding a new file with the same name.
  5. To report on copy actions on remote file shares, make sure that audit of successful read operations is enabled. See Configure Object-Level Access Auditing for details.
  6. If planning to monitor folders, consider that the Reparse point attribute content will be available for reviewing only if you have Collect data for state-in-time reports option selected for the data source in the monitoring plan (see File Servers for details). Also, mind that reparse point content changes cannot be audited.

Review a full list of object types Netwrix Auditor can audit on file servers.

NOTE: For more information on the Attributes marked with * in the table below, refer to this Microsoft article.

Object type Attributes

File

  • Attributes*
  • Location
  • Name
  • Ownership
  • Permissions:

    • Group Permissions
    • User Permissions
  • Primary Group
  • Security descriptor control flags

  • Size

Folder

  • Attributes*

    NOTE: The Reparse point attribute content is available for reviewing only when State-In-Time snapshot collection is enabled. Mind that reparse point content changes cannot be audited.

  • Location
  • Name
  • Ownership
  • Permissions:

    • Group Permissions
    • User Permissions
  • Primary Group
  • Security descriptor control flags

Share

  • Access-based Enumeration

  • Caching

  • Continuous Availability

  • Description

  • Enable BranchCache

  • Encrypt Data Access

  • Local Path
  • User Limit

In addition to general object attributes, Netwrix Auditor generates the following attributes associated with the object and reserved for internal use.

  • Session ID—GUID generated by the product and can be helpful if you have to review large amount of changes and need to distinguish those made within one session.
  • Statement ID—This attribute appears when an object was moved/renamed due to its root object modifications.

Also, state-in-time data collection is supported for Windows-based file servers, NetApp and EMC storage systems.

Go Up