How to Decide Whether to Feed Collected Data to Audit Database

During a monitoring plan creation, you can choose whether to enable complete visibility with reports and interactive search or to receive information on changes in email notifications. The second option is a basic functionality that allows you to review changes on a daily basis—an Activity Summary.

Activity Summary email is generated automatically by Netwrix Auditor and lists all changes / recorded user sessions that occurred since the last Activity Summary delivery. By default, for most data sources an Activity Summary is generated daily at 3:00 AM and delivered to the specified recipients. You can also launch data collection and Activity Summary generation manually.

NOTE: Notifications on user activity and event log collection (Event Log Collection Status) are a bit different and do not show changes.

Intelligence is a more advanced functionality that provides access to audit data collected over a longer period of time, it brings complete visibility into your IT infrastructure. This functionality requires SQL Server and SSRS to be installed and configured in your network.

Both options (Activity Summaries and Intelligence) can be selected at the same time, or you can configure Netwrix Auditor only to send Activity Summaries by enabling the Disable security intelligence and make data available only in activity summaries option. Upon selecting this option, audit data will not be written to the Audit Database, and you will not be able to generate reports and run data searches in the Netwrix Auditor client, but you will still receive a full list of changes by email.

NOTE: Even if the Disable security intelligence and make data available only in activity summaries option is selected, your audit data will be stored to the Long-Term Archive, and you will be able to import this data to Audit Database later using the Import Tool.

Review the table below and decide whether you to use Activity Summaries only or to take advantage of the enhanced functionality.

Activity Summaries only Intelligence

You do not have to install and configure SQL Server and SSRS.

You must install and configure SQL Server and SSRS. It is done automatically during a monitoring plan creation.

You can to save disk space.

When planning capacity, make sure to allocate additional space on the server where SQL Server instance resides.

  • You are not interested in audit data older than 24 hours.
  • Email is the most appropriate way to receive this information.

You are interested in multiple reports on all types of changes across your IT infrastructure. Depending on your goals and tasks, you can generate reports with custom filtering, investigate incidents and stay compliant with various standards and regulations (FISMA, HIPAA, PCI, SOX, etc.)

  • You want to review diagrams on important statistic across all your IT infrastructure or within selected data source.
  • You want to view reports in a Web browser.
  • You want to browse audit data with AuditIntelligence Search and find out modifications that are important for you immediately.
  • You want to subscribe to important reports by email or publish them regularly to a file share, according to user-defined schedule, with custom filters, and in a certain output format.
  • You want to export and share your audit results with colleagues and managers.
  • You want to receive alerts to threat patterns.