Go Up
You are here: AdministrationMonitored Object Types, Actions, and AttributesWindows Server

Components and Settings Monitored on Windows Server

Review a full list of all components and settings Netwrix Auditor can collect on Windows Server.

You can also configure Netwrix Auditor to audit custom registry keys. See To enable monitoring of custom registry keys for more information.

NOTE: A single asterisk is a wildcard that replaces any number of characters.

The Who value is reported as “Not Applicable” for the components and settings marked with double asterisks (**).

The Who value is reported for the components and settings marked with triple asterisks (***) if the DNS server runs Windows Server 2012 R2 with Microsoft update KB2956577 applied.

The Who value is reported as “Not Applicable” for DHCP server configuration events if DHCP server runs on Windows Server 2008 and below.

For removable storages, the When value shows actual time when a change was made and/or a target server was started.

Object type Attributes
General Computer Settings

Computer

  • System state changed to Started
  • System state changed to Stopped. Reason: Reason type

  • System state changed to Stopped. Reason: unexpected shutdown or system failure

Computer Name

  • Computer Description
  • Name
  • Domain

Environment Variables

  • Type
  • Value

Event Log

  • Event Log Cleared

General

  • Caption
  • Organization
  • Registered User
  • Serial Number
  • Service Pack**
  • Version**

Remote

  • Enable Remote Desktop on this computer

Startup and Recovery

 

  • Automatically Restart
  • Dump File
  • Dump Type
  • Overwrite any existing file
  • Send Alert
  • System Startup Delay
  • Write an Event

System Time

  • System time changed from ... to ...
  • Time zone changed

    NOTE: Not supported on Windows Server 2008 SP2 and Windows Server 2008 R2.

Add / Remove Programs

Add or Remove Programs

  • Installed For**
  • Version
Services

System Service

 

  • Action in case of failed service startup
  • Action in case of service stopping
  • Allow service to interact with desktop
  • Caption
  • Created
  • Deleted
  • Description
  • Name
  • Path to executable
  • Service Account
  • Service Type
  • Start Mode
  • Error Control
Audit Policies

Local Audit Policy

  • Added Audit settings

    NOTE: Only for the Global Object Access Auditing advanced policies.

  • Successful audit enabled/disabled
  • Failure audit enabled/disabled

Per-User Local Audit Policy

  • Success audit include added
  • Success audit include removed
  • Failure audit include added
  • Failure audit include removed
  • Success audit exclude added
  • Success audit exclude removed
  • Failure audit exclude added
  • Failure audit exclude remove
Hardware

Base Board**

  • Hosting Board
  • Status
  • Manufacturer
  • Product
  • Version
  • Serial Number

BIOS**

 

  • Manufacturer
  • Version

Bus**

 

  • Bus Type
  • Status
Cache Memory**
  • Configuration Manager Error Code
  • Last Error Description
  • Last Error Code
  • Purpose
  • Status
CD-ROM Drive**
  • Configuration Manager Error Code
  • Last Error Description
  • Last Error Code
  • Media Type
  • Name
  • SCSI Bus
  • SCSI Logical Unit
  • SCSI Port
  • SCSI Target ID
  • Status
Disk Partition**
  • Primary Partition
  • Size (bytes)
  • Starting offset (bytes)
Display Adapter**
  • Adapter RAM (bytes)
  • Adapter Type
  • Bits/Pixel
  • Configuration Manager Error Code
  • Driver Version
  • Installed Drivers
  • Last Error Description
  • Last Error Code
  • Refresh Rate
  • Resolution
  • Status
DMA**
  • Status
Floppy Drive**
  • Configuration Manager Error Code
  • Last Error Description
  • Last Error Code
  • Status
Hard Drive**
  • Bytes/Sector
  • Configuration Manager Error Code
  • Interface Type
  • Last Error Description
  • Last Error Code
  • Media Loaded
  • Media Type
  • Model
  • Partitions
  • SCSI Bus
  • SCSI Logical Unit
  • SCSI Port
  • SCSI Target ID
  • Sectors/Track
  • Size (bytes)
  • Status
  • Total Cylinders
  • Total Heads
  • Total Sectors
  • Total Tracks
  • Tracks/Cylinder
IDE**
  • Configuration Manager Error Code
  • Description
  • Last Error Description
  • Last Error Code
  • Status
Infrared**
  • Configuration Manager Error Code
  • Last Error Description
  • Last Error Code
  • Status
Keyboard**
  • Configuration Manager Error Code
  • Description
  • Last Error Description
  • Last Error Code
  • Layout
  • Name
  • Status
Logical Disk**
  • Description
  • File System
  • Size (bytes)
  • Status
Monitor**
  • Configuration Manager Error Code
  • Last Error Description
  • Last Error Code
  • Monitor Type
  • Status
Network Adapter
  • Adapter Type
  • Configuration Manager Error Code
  • Default IP Gateway
  • DHCP Enabled
  • DHCP Server
  • DNS Server Search Order
  • IP Address
  • Last Error Description
  • Last Error Code
  • MAC Address
  • Network Connection Name
  • Network Connection Status
  • Service Name
  • Status
Network Protoco*l*
  • Description
  • Status
Parallel Ports**
  • Configuration Manager Error Code
  • Last Error Description
  • Last Error Code
  • Status
PCMCIA Controller**
  • Configuration Manager Error Code
  • Last Error Description
  • Last Error Code
  • Status
Physical Memory**
  • Capacity (bytes)
  • Status
  • Manufacturer
  • Memory Type
  • Speed
  • Part Number
  • Serial Number
Pointing Device**
  • Configuration Manager Error Code
  • Double Click Threshold
  • Handedness
  • Hardware Type
  • Last Error Description
  • Last Error Code
  • Number of buttons
  • Status
Printing
  • Comment**
  • Hidden**
  • Local**
  • Location**
  • Name**
  • Network**
  • Port Name**
  • Printer error information
  • Published**
  • Shared**
  • Share Name**
  • Status
Processor**
  • Configuration Manager Error Code
  • Last Error Description
  • Last Error Code
  • Max Clock Speed (MHz)
  • Name
  • Status
SCSI**
  • Configuration Manager Error Code
  • Description
  • Last Error Description
  • Last Error Code
  • Status
Serial Ports**
  • Configuration Manager Error Code
  • Last Error Description
  • Last Error Code
  • Maximum Bits/Second
  • Name
  • Status
Sound Device**
  • Configuration Manager Error Code
  • Last Error Description
  • Last Error Code
  • Status
System Slot**
  • Slot Designation
  • Status
USB Controller**
  • Configuration Manager Error Code
  • Last Error Description
  • Last Error Code
  • Name
  • Status

USB Hub**

  • Configuration Manager Error Code
  • Last Error Description
  • Last Error Code
  • Name
  • Status
DHCP configuration
Server role
  • Added
  • Removed
DHCP scope
  • Type:

    • IPv4

    • Multicast IPv4
    • Superscope for IPv4
    • IPv6

Removable media**

Removable Storage Media

NOTE: Netwrix Auditor does not report on floppy/optical disk and memory card storage medias.

  • Device class:
    • CD and DVD

    • Floppy Drives

    • Removable Disk

    • Tape Drives
    • Windows Portable Devices

NOTE: When the Audit Object Access local audit policy and/or the Audit Central Access Policy Staging \ Audit Removable Storage advanced audit policies are enabled on the target server, the gpupdate /force command execution issues removable storage restart. These actions are disclosed in Netwrix Auditor reports, search, and activity summaries. Note that these actions are system, not user-effected.

Scheduled Tasks

Scheduled Task

  • Account Name
  • Application
  • Comment
  • Creator
  • Enabled
  • Parameters
  • Triggers
Local Users and Groups

Local Group

  • Description
  • Name
  • Members

Local User

  • Description
  • Disabled/Enabled
  • Full Name
  • Name
  • User cannot change password
  • Password Never Expires
  • User must change password at next logon
DNS Configuration***

DNS Server***

  • Address Answer Limit
  • Allow Update
  • Auto Cache Update
  • Auto Config File Zones
  • Bind Secondaries
  • Boot Method
  • Default Aging State
  • Default No Refresh Interval
  • Default Refresh Interval
  • Disable Auto Reverse Zones
  • Disjoint Nets
  • Ds Available
  • Ds Polling Interval
  • Ds Tombstone Interval
  • EDns Cache Timeout
  • Enable Directory Partitions
  • Enable Dns Sec
  • Enable EDns Probes
  • CD-ROM D

    Enable Netmask Ordering

  • Event Log Level
  • Fail On Load If Bad Zone Data

  • Forward Delegations
  • Forwarders
  • Forwarding Timeout
  • Is Slave
  • Listen Addresses
  • Log File Max Size
  • Log File Path
  • Log Level
  • Loose Wildcarding
  • Max Cache TTL
  • Max Negative Cache TTL
  • Name Check Flag
  • No Recursion
  • Recursion Retry
  • Recursion Timeout
  • Round Robin
  • Rpc Protocol
  • Scavenging Interval
  • Secure Cache Against Pollution
  • Send Port
  • Server Addresses

DNS Zone***

  • Aging State
  • Allow update
  • Auto created
  • Data file name
  • Ds integrated
  • Expires after
  • Forwarder slave
  • Forwarder timeout
  • Master servers
  • Minimum TTL
  • No refresh interval
  • Notify
  • Notify servers
  • Owner name
  • Paused
  • Primary server
  • Refresh interval
  • Responsible person
  • Retry interval
  • Reverse
  • Scavenge servers
  • Secondary servers
  • Secure secondaries
  • Shutdown
  • TTL
  • User NB stat
  • Use WINS
  • Zone type
DNS Resource Records***

DNS AAAA***

  • Container name
  • IPv6 Address
  • Owner name
  • Record class
  • TTL
  • Zone type

DNS AFSDB***

  • Container name
  • Owner name
  • Server name
  • Server subtype
  • Record class
  • TTL
  • Zone type

DNS ATM A***

  • ATM Address
  • Container name
  • Format
  • Owner name
  • Record class
  • TTL
  • Value
  • Zone type

DNS A***

  • Container name
  • IP Address
  • Owner name
  • Record class
  • TTL
  • Zone type

DNS CNAME***

  • Container name
  • FQDN for target host
  • Owner name
  • Record class
  • TTL
  • Zone type

DNS DHCID***

  • Container name
  • DHCID (base 64)
  • Owner name
  • Record class

  • TTL
  • Zone type

DNS DNAME***

  • Container name
  • FQDN for target domain
  • Owner name
  • Record class
  • TTL
  • Zone type

DNS DNSKEY***

  • Algorithm
  • Container name
  • Key type
  • Key (base 64)
  • Name type
  • Owner name
  • Protocol
  • Record class
  • Signatory field
  • TTL
  • Zone type

DNS DS***

  • Algorithm

  • Container name

  • Data

  • DigestType

  • Key tag
  • Owner name

  • Record class
  • TTL

  • Zone type

DNS HINFO***

  • Container name
  • CPU type
  • Operating system
  • Owner name
  • Record class
  • TTL
  • Zone type

DNS ISDN***

  • Container name
  • ISDN phone number and DDI
  • ISDN subaddress
  • Owner name
  • Record class
  • TTL
  • Zone type

DNS KEY***

  • Algorithm
  • Container name
  • Key type
  • Key (base 64)
  • Name type
  • Owner name
  • Protocol
  • Record class
  • Signatory field
  • TTL
  • Zone type

DNS MB***

  • Container name
  • Mailbox host
  • Owner name
  • Record class
  • TTL
  • Zone type

DNS MD***

  • Container name
  • MD host
  • Owner name
  • Record class
  • TTL
  • Zone type

DNS MF***

  • Container name
  • MF host
  • Owner name
  • Record class
  • TTL
  • Zone type

DNS MG***

  • Container name
  • Member mailbox
  • Owner name
  • Record class
  • TTL
  • Zone type

DNS MINFO***

  • Container name
  • Error mailbox
  • Owner name
  • Responsible mailbox
  • Record class
  • TTL
  • Zone type

DNS MR***

  • Container name
  • Owner name
  • Replacement mailbox
  • Record class
  • TTL
  • Zone type

DNS MX***

  • Container name
  • FQDN of mail server
  • Mail server priority
  • Owner name
  • Record class
  • TTL
  • Zone type

DNS NAPTR***

  • Container name
  • Flag string
  • Order
  • Owner name
  • Preference
  • Record class
  • Regular expression string
  • Replacement domain
  • Service string
  • TTL
  • Zone type

DNS NS***

  • Container name
  • Name servers
  • Owner name
  • TTL

DNS NXT***

  • Container name
  • Next domain name
  • Owner name
  • Record class
  • Record types
  • TTL
  • Zone type

DNS PTR***

  • Container name
  • Owner name
  • PTR domain name
  • Record class
  • TTL
  • Zone type

DNS RP***

  • Container name
  • Mailbox of responsible person
  • Optional associated text (TXT) record
  • Owner name
  • Record class
  • TTL
  • Zone type

DNS RRSIG***

  • Algorithm
  • Container name
  • Key tag
  • Labels
  • Original TTL
  • Owner name
  • Record class
  • Signature expiration (GMT)
  • Signature inception (GMT)
  • Signature (base 64)
  • Signer's name
  • TTL
  • Type covered
  • Zone type

DNS RT***

  • Container name
  • Intermediate host
  • Owner name
  • Preference
  • Record class
  • TTL
  • Zone type

DNS SIG***

  • Algorithm
  • Container name
  • Key tag
  • Labels
  • Original TTL
  • Owner name
  • Record class
  • Signature expiration (GMT)
  • Signature inception (GMT)
  • Signature (base 64)
  • Signer's name
  • TTL
  • Type covered
  • Zone type

DNS SRV***

  • Container name
  • Host offering this service
  • Owner name
  • Port number
  • Priority
  • Record class
  • TTL
  • Weight
  • Zone type

DNS TEXT***

  • Container name
  • Owner name
  • Record class
  • Text
  • TTL
  • Zone type

DNS WINS***

  • Cache time-out
  • Container name
  • Do not replicate this record
  • Lookup time-out
  • Owner name
  • Record class
  • Wins servers
  • Zone type

DNS WKS***

  • Container name
  • IP address
  • Owner name
  • Protocol
  • Record class
  • Services
  • TTL
  • Zone type

DNS X25***

  • Container name
  • Owner name
  • Record
  • Record class
  • TTL
  • X.121 PSDN address
  • Zone type
File Shares

Share

  • Access-based enumeration
  • Caching
  • Description
  • Enable BranchCache
  • Encrypt data access
  • Folder path
  • Share permissions
  • User limit

To enable monitoring of custom registry keys

  1. On the computer where Netwrix Auditor Server resides, navigate to %Netwrix Auditor installation folder%\Windows Server Auditing.
  2. Edit the customregistrykeys.txt file.

    Review the following for additional information:

    File Syntax

    customregistrykeys. txt

    monitoring plan name, server name, registry key name

    • Each entry must be a separate line.
    • Wildcards (* and ?) are supported (except for the registry key name field). A backslash (\) must be put in front of (*), (?), (,), and (\) if they are a part of an entry value.
    • Lines that start with the # sign are treated as comments and are ignored.

    For example:

    #*,productionserver1.corp.local,HKEY_LOCAL_MACHINE\\SYSTEM\\RNG

Go Up