Configure IT Infrastructure for Auditing and Monitoring

Netwrix Auditor relies on native logs for collecting audit data. Therefore, successful change and access auditing requires a certain configuration of native audit settings in the audited environment and on the computer where Netwrix Auditor Server resides. Configuring your IT infrastructure may also include enabling certain built-in Windows services, etc. Proper audit configuration is required to ensure audit data integrity, otherwise your change reports may contain warnings, errors or incomplete audit data.

You can configure your IT Infrastructure for monitoring in one of the following ways:

  • Automatically when creating a monitoring plan. This is a recommended method.

  • Manually. The table below lists the native audit settings that must be adjusted manually to ensure collecting comprehensive and reliable audit data. You can enable Netwrix Auditor to continually enforce the relevant audit policies or configure them manually.
Data source Required configuration

Active Directory (including Group Policy)

In the audited environment

See Configure Active Directory Domain for Monitoring for related settings and procedures.

TIP: Audit Configuration Assistant

  • If you have enabled automatic log backup for the Security log of your domain controller, you can instruct Netwrix Auditor to clear the old backups automatically. For that, use the CleanAutoBackupLogs registry key, as described in the Registry Keys for Monitoring Active Directory section.

    NOTE: It is recommended that you adjust retention period for the backup files accordingly (default is 50 hours). See Adjust Security Event Log Size and Retention Settings

  • To provide for event data collection, the Secondary Logon service must be up and running . Open Administrative Tools Services, right-click the Secondary Logon service and on the General tab make sure that Startup type for this service is other than Disabled.

AD FS

In the audited environment

To configure AD FS farm, you will need to enable AD FS audit settings and set up Windows audit policy:

  1. AD FS audit settings must be configured on the primary AD FS server, i.e. on the first server you have set up in the farm:
    • To configure audit of AD FS 3.0 on Windows Server 2012 R2, use the following PowerShell cmdlet:

      Set-AdfsProperties -LogLevel Errors,FailureAudits,Verbose,SuccessAudits,Warnings

    • To configure audit of AD FS 4.0 on Windows Server 2016 or AD FS 5.0 on Windows Server 2019, use the following PowerShell cmdlets:

      Set-AdfsProperties -LogLevel Errors,FailureAudits,Verbose,SuccessAudits,Warnings

      Set-AdfsProperties –AuditLevel Verbose

  2. Windows Audit policy must be configured on each server in the farm. For all Windows server versions:
    • Run the auditpol utility with the following parameters:

      • auditpol.exe /set /subcategory:"Application Generated" /failure:enable /success:enable

  3. Adjust log size and retention settings for Security log and for AD FS Admin log (under Applications and Service logs). See Adjusting Event Log Size and Retention Settings for details.

    4. NOTE: If AD FS Admin logging is disabled, you should enable it.

Azure AD

No special settings are required. Remember to do the following:

  1. Prepare a Data Collecting Account as described in For Azure AD Auditing section.
  2. Configure required protocols and ports, as described in this table.

Exchange

  • Install the ADSI Edit utility to the server from which configuration is performed if it is not a Domain Controller. See Install ADSI Edit for more information.

  • The following policies must be set to "Success" for the effective domain controllers policy:

    • Audit account management
    • Audit directory service access
  • The Audit logon events policy must be set to "Success" (or "Success" and "Failure") for the effective domain controllers policy.
  • The Advanced audit policy settings can be configured instead of basic.

  • The Maximum Security event log size must be set to 4GB. The retention method of the Security event log must be set to “Overwrite events as needed”.

  • Auto archiving must be enabled to prevent audit data loss if log overwrites occur.
  • The Object-level audit settings must be configured for the Domain, Configuration and Schema partitions.
  • The AD tombstoneLifetime attribute must be set to "730".

  • If you have an on-premises Exchange server 2019, 2016, 2013 or 2010 in your Active Directory domain, consider that some changes can be made via that Exchange server. To be able to audit and report who made those changes, you should configure the Exchange Administrator Audit Logging (AAL) settings, as described in Configure Exchange Administrator Audit Logging Settings.

  • The Administrator Audit Logging settings must be configured (only required for Exchange 2019, 2016, 2013 or 2010).

  • In order to audit mailbox access, native audit logging must be enabled for user, shared, equipment, linked, and room mailboxes.

    • Access types: administrator , delegate user

    • Actions: Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create

  • If you have enabled automatic log backup for the Security log of your domain controller, you can instruct Netwrix Auditor to clear the old backups automatically. For that, use the CleanAutoBackupLogs registry key, as described in the Registry Keys for Monitoring Active Directory section.

    NOTE: It is recommended that you adjust retention period for the backup files accordingly (default is 50 hours). See Adjust Security Event Log Size and Retention Settings

  • To provide for event data collection, the Secondary Logon service must be up and running . Open Administrative Tools Services, right-click the Secondary Logon service and on the General tab make sure that Startup type for this service is other than Disabled.

Exchange Online

  • If you plan to audit non-owner mailbox access within your Exchange Online organization, native audit logging must be enabled for user, shared, equipment, linked, and room mailboxes.

    • Access types: administrator , delegate user

    • Actions: Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create

Depending on authentication type (basic or modern) and deployment scenario, you will need to perform related configuration procedures. See For Exchange Online Auditing

Remember to do the following:

  1. Prepare a Data Collecting Account as described in For Exchange Online Auditing section.
  2. Configure required protocols and ports, as described in Protocols and Ports Required for Monitoring Office 365

Windows File Servers

  • For a security principal (e.g., Everyone), the following options must be configured in the Advanced Security Auditing settings for the audited shared folders:

    List Folder / Read Data (Files only) "Success" and "Fail"
    List Folder / Read Data (This folder, subfolders and files) "Fail"
    Create Files / Write Data* "Success" and "Fail"
    Create Folders / Append Data* "Success" and "Fail"

    Write Extended Attributes*

    		 "Success" and "Fail"

    Delete Subfolders and Files*

    		 "Success" and "Fail"

    Delete*

    		 "Success" and "Fail"

    Change Permissions*

    		 "Success" and "Fail"

    Take Ownership*

    		 "Success" and "Fail"

    NOTE: Select "Fail" only if you want to track failure events, it is not required for success events monitoring.

    If you want to get only state-in-time snapshots of your system configuration, limit your settings to the permissions marked with * and set it to "Success" (Apply onto: This folder, subfolders and files).

  • The following Advanced audit policy settings must be configured:

    • The Audit: Force audit policy subcategory settings (Windows 7 or later) security option must be enabled.

    • Depending on your OS version, configure the categories as follows:

      Windows Server 2008
      Object Access
      Audit File Share "Success"
      Audit File System "Success" and "Failure"
      Audit Handle Manipulation "Success" and "Failure"
      Logon/Logoff
      Logon "Success"
      Logoff "Success"
      Policy Change
      Audit Audit Policy Change "Success"
      System
      Security State Change "Success"
      Windows Server 2008 R2 / Windows 7 and above
      Object Access
      Audit File Share "Success"
      Audit File System "Success" and "Failure"
      Audit Handle Manipulation "Success" and "Failure"
      Audit Detailed file share "Failure"
      Logon/Logoff
      Logon "Success"
      Logoff "Success"
      Policy Change
      Audit Audit Policy Change "Success"
      System
      Security State Change "Success"

      If you want to get only state-in-time snapshots of your system configuration, limit your audit settings to the following policies:

      Object Access

      Audit File System

      "Success"

      Audit Handle Manipulation

      		 "Success"

      Audit File Share

      		 "Success"

      Policy Change

      Audit Audit Policy Change

      "Success"

  • The following legacy policies can be configured instead of advanced:

    • Audit object access policy must set to "Success" and "Failure".

    • Audit logon events policy must be set to "Success".

    • Audit system events policy must be set to "Success".

    • Audit policy change must be set to "Success".

  • The Security event log maximum size must be set to 4GB. The retention method of the Security event log must be set to “Overwrite events as needed”.

  • The Remote Registry service must be started.
  • The following inbound Firewall rules must be enabled:
    • Remote Event Log Management (NP-In)*
    • Remote Event Log Management (RPC)*
    • Remote Event Log Management (RPC-EPMAP)*
    • Windows Management Instrumentation (ASync-In)
    • Windows Management Instrumentation (DCOM-In)
    • Windows Management Instrumentation (WMI-In)

    • Network Discovery (NB-Name-In)

    • File and Printer Sharing (NB-Name-In)

    • File and Printer Sharing (Echo Request - ICMPv4-In)

    • File and Printer Sharing (Echo Request - ICMPv6-In)

      NOTE: The rules marked with * are required only if you do not want to use network traffic compression for auditing.

      NOTE: If you plan to audit Windows Server 2019 or Windows 10 Update 1803 without network compression service, make sure the following inbound connection rules are enabled:

      • Remote Scheduled Tasks Management (RPC)
      • Remote Scheduled Tasks Management (RPC-EMAP)
  • If your file shares contain symbolic links and you want to collect state-in-time data for these shares, the local-to-local, local-to-remote, remote-to-local, and remote-to-remote symbolic link evaluations must be enabled on the computer that hosts Netwrix Auditor Server. See Enable Symbolic Link Evaluations for more information.

EMC Isilon

  • CIFS Network Protocol support is required.

  • Create a shared directory /ifs/.ifsvar/audit/ on your cluster.

    NOTE: Use SMB (CIFS) protocol for sharing.

  • The following filters for auditing protocol operations that succeeded/failed must be enabled for audited access zones on your cluster:

    • Audit Success: read, write, delete, set_security, rename

    • Audit Failure: read, create, write, delete, set_security, rename

  • If your file shares contain symbolic links and you want to collect state-in-time data for these shares, the local-to-local, local-to-remote, remote-to-local, and remote-to-remote symbolic link evaluations must be enabled on the computer that hosts Netwrix Auditor Server. See Enable Symbolic Link Evaluations for more information.

EMC VNX/VNXe/Unity

  • CIFS Network Protocol support is required.

  • Security Event Log Maximum Size must be set to 4GB.

  • The Audit object access policy must be set to "Success" and "Failure" in the Group Policy of the OU where the audited EMC VNX/VNXe/Unity/Celerra appliance belongs to.

  • Audit settings must be configured for CIFS File Shares. For a security principal (e.g., Everyone), the following options must be set to "Success" and "Fail" in the Advanced Security Auditing settings for the audited shared folders:

    • List Folder / Read Data (Files only)

    • Create Files / Write Data

    • Create Folders / Append Data

    • Write Attributes

    • Write Extended Attributes

    • Delete Subfolders and Files

    • Delete

    • Change Permissions

    • Take Ownership

  • If your file shares contain symbolic links and you want to collect state-in-time data for these shares, the local-to-local, local-to-remote, remote-to-local, and remote-to-remote symbolic link evaluations must be enabled on the computer that hosts Netwrix Auditor Server. See Enable Symbolic Link Evaluations for more information.

NetApp
  • CIFS Network Protocol support is required.

  • Qtree Security must be configured. The volume where the audited file shares are located must be set to the "ntfs" or "mixed" security style.

  • On Data ONTAP 7 and Data ONTAP 8 in 7-mode:

    • The httpd.admin.enable or the httpd.admin.ssl.enable option must be set to "on". For security reasons, it is recommended to configure SSL access and enable the httpd.admin.ssl.enable option.

    • The cifs.audit.liveview.enable option must be set to "off".

    • The cifs.audit.enable and the cifs.audit.file_access_events.enable options must be set to "on".

    • Unless you are going to audit logon events, the cifs.audit.logon_events.enable and the cifs.audit.account_mgmt_events.enable options must be set to "off".

    • The Security log must be configured:

      • cifs.audit.logsize 300 000 000 (300 MB)

      • cifs.audit.autosave.onsize.enable on

      • cifs.audit.autosave.file.extension timestamp

  • On Clustered Data ONTAP 8 and ONTAP 9:

    • External Web Services: true.

      For security reasons, it is recommended to enable only SSL access.

    • Firewall policy for data interfaces must be configured to allow ONTAPI protocol connections.

    • Audit settings must be configured as follows:

      Auditing State: true
      Log Destination Path: /audit
      Categories of Events to Audit: file-ops, cifs-logon-logoff
      Log Format: evtx
      Log File Size Limit:300MB

  • Audit settings must be configured for CIFS File Shares. For a security principal (e.g., Everyone), the following options must be set to "Success" and "Fail" in the Advanced Security Auditing settings for the audited shared folders:

    • List Folder / Read Data (Files only)
    • Create Files / Write Data
    • Create Folders / Append Data
    • Write Extended Attributes
    • Delete Subfolders and Files
    • Delete
    • Change Permissions
    • Take Ownership
  • If your file shares contain symbolic links and you want to collect state-in-time data for these shares, the local-to-local, local-to-remote, remote-to-local, and remote-to-remote symbolic link evaluations must be enabled on the computer that hosts Netwrix Auditor Server. See Enable Symbolic Link Evaluations for more information.

Nutanix File Server
  • To allow inbound connections to Netwrix Auditor server from Nutanix File Server, a TCP port must be open:
  • Target Nutanix File Server must be located in the same subnet as Netwrix Auditor Server and must be configured as described in the Configure Nutanix File Server for Monitoring section.

Network Devices

For Cisco ASA:

  • The global configuration mode is selected.

  • The logging enable option is selected on the Cisco ASA device.

  • The logging host parameter is set to the host address of the audited CiscoASA device. And UDP port (for, example 514) is used for sending messages.

    NOTE: Do not select the EMBLEM format logging for the syslog server option.

  • The logging timestamp option enabled.
  • The logging trap option is selected from 1 to 6 inclusive.

For Cisco IOS:

  • The global configuration mode is selected.
  • The logging timestamp option enabled.
  • The logging trap option is selected from 1 to 6 inclusive.
  • The logging host parameter is set to the host address where the service is going to be installed. And UDP port (for, example 514) is used for sending messages.

For Fortinet Fortigate:

The target Fortinet Fortigate device must be configured via Command Line Interface (CLI) as described in the Configure Fortinet FortiGate Devices section.

For PaloAlto:

Create a Syslog Server profile and syslog forwarding for the target PaloAlto device via Web Interface as described in the Configure PaloAlto Devices section.

For Juniper:

The target Juniper device must be configured via JunOS Command Line Interface (CLI) as described in the Configure Juniper Devices section.

For SonicWall:

Configure log settings, depending on your device type. See Configure Network Devices for Monitoring for more information.

Oracle Database

In the audited environment

Required settings are described in the Configure Oracle Database for Monitoring section.

On the computer where Netwrix Auditor Server is installed:

Verify that Oracle Data Provider for .NET and Oracle Instant Client are installed and properly configured.

See Oracle Database section of system requirements.

SharePoint

  • The Audit Log Trimming setting must be set to "Yes" and Specify the number of days of audit log data to retain must be set to 7 days.
  • The Editing users and permissions option must be enabled.
  • For auditing read access events only: The Opening or downloading documents, viewing items in lists, or viewing item properties option must be enabled.

  • The SPAdminV4 service must be enabled (required for the Netwrix Auditor Core Service for SharePoint installation).

SharePoint Online (including OneDrive for Business)

In the cloud:

No special configuration required.

Remember to do the following:

  1. Prepare a Data Collecting Account as described in For SharePoint Online Auditing section.
  2. Configure required protocols and ports, as described in Protocols and Ports Required for Monitoring Office 365

SQL Server

Required settings are described in the Configure SQL Server for Monitoring section.

VMware

No configuration required

Windows Server (including DNS, DHCP and removable media)
  • The Remote Registry and the Windows Management Instrumentation (WMI) service must be started.
  • The following advanced audit policy settings must be configured:
    • The Audit: Force audit policy subcategory settings (Windows 7 or later) security option must be enabled.
    • For Windows Server 2008—The Object Access, Account Management, and Policy Change categories must be disabled while the Security Group Management, User Account Management, Handle Manipulation, Other Object Access Events, Registry, File Share, and Audit Policy Change subcategories must be enabled for "Success".
    • For Windows Server 2008 R2 / Windows 7 and aboveAudit Security Group Management, Audit User Account Management, Audit Handle Manipulation, Audit Other Object Access Events, Audit Registry, Audit File Share, and Audit Audit Policy Change advanced audit policies must be set to "Success".

  • The following legacy audit policies can be configured instead of advanced: Audit object access, Audit policy change, and Audit account management must be set to "Success".

  • The Enable Persistent Time Stamp local group policy must be enabled.
  • The Application, Security, and System event log maximum size must be set to 4 GB. The retention method must be set to “Overwrite events as needed”.
  • For auditing scheduled tasks, the Microsoft-Windows-TaskScheduler/Operational event log must be enabled and its maximum size must be set to 4 GB. The retention method of the log must be set to “Overwrite events as needed”.
  • For auditing DHCP, the Microsoft-Windows-Dhcp-Server/Operational event log must be enabled and its maximum size must be set to 4 GB. The retention method of the log must be set to “Overwrite events as needed”.
  • For auditing DNS, the Microsoft-Windows-DNS-Server/Audit event log must be enabled and its maximum size must be set to 4 GB. The retention method of the log must be set to “Overwrite events as needed”.
  • The following inbound Firewall rules must be enabled:
    • Remote Event Log Management (NP-In)
    • Remote Event Log Management (RPC)
    • Remote Event Log Management (RPC-EPMAP)
    • Windows Management Instrumentation (ASync-In)
    • Windows Management Instrumentation (DCOM-In)
    • Windows Management Instrumentation (WMI-In)

    • Network Discovery (NB-Name-In)

    • File and Printer Sharing (NB-Name-In)

    • Remote Service Management (NP-In)

    • Remote Service Management (RPC)

    • Remote Service Management (RPC-EPMAP)

    • Performance Logs and Alerts (DCOM-In)
    • Performance Logs and Alerts (TCP-In)

    NOTE: If the audited servers are behind the Firewall, review the list of protocols and ports required for Netwrix Auditor and make sure that these ports are opened. See Protocols and Ports Required for Netwrix Auditor Server for more information.

  • For auditing removable storage media, two Event Trace Session objects must be created.

NOTE: If you want to use Network traffic compression, make sure that the Netwrix Auditor Server is accessible by its FQDN name.

Event Log (including Cisco)

  • For Windows-based platforms: the Remote Registry service must be running and its Startup Type must be set to "Automatic".

  • For Syslog-based platforms: the Syslog daemon must be configured to redirect events.

IIS

  • The Remote Registry service must be running and its Startup Type must be set to "Automatic".

  • The Microsoft-IIS-Configuration/Operational log must be enabled and its maximum size must be set to 4 GB. The retention method of the log must be set to “Overwrite events as needed”.

Logon Activity

  • The following policies must be set to "Success" and "Failure" for the effective domain controllers policy:

    • Audit Logon Events
    • Audit Account Logon Events
  • The Audit system events policy must be set to "Success" for the effective domain controllers policy.
  • The Advanced audit policy settings can be configured instead of basic.

  • The Maximum Security event log size must be set to 4GB. The retention method of the Security event log must be set to “Overwrite events as needed” or "Archive the log when full".

  • The following Windows Firewall inbound rules must be enabled:

    • Remote Event Log Management (NP-In)
    • Remote Event Log Management (RPC)
    • Remote Event Log Management (RPC-EPMAP)

User Activity

  • The Windows Management Instrumentation and the Remote Registry service must be running and their Startup Type must be set to "Automatic".
  • The File and Printer Sharing and the Windows Management Instrumentation features must be allowed to communicate through Windows Firewall.

  • Local TCP Port 9003 must be opened for inbound connections.

  • Remote TCP Port 9004 must be opened for outbound connections.
  • The Windows Management Instrumentation and the Remote Registry services must be running and their Startup Type must be set to "Automatic".
  • The File and Printer Sharing and the Windows Management Instrumentation features must be allowed to communicate through Windows Firewall.
  • Local TCP Port 9004 must be opened for inbound connections.