Configure IT Infrastructure for Auditing and Monitoring

• If you have enabled automatic log backup for the Security log of your domain controller, you can instruct Netwrix Auditor to clear the old backups automatically. For that, use the CleanAutoBackupLogs registry key, as described in the Registry Keys for Monitoring Active Directory section.

  NOTE: It is recommended that you adjust retention period for the backup files accordingly (default is 50 hours). See Adjust Security Event Log Size and Retention Settings

• To provide for event data collection, the Secondary Logon service must be up and running . Open Administrative Tools → Services, right-click the Secondary Logon service and on the General tab make sure that Startup type for this service is other than Disabled.

• Install the ADSI Edit utility to the server from which configuration is performed if it is not a Domain Controller. See Install ADSI Edit for more information.

• The following policies must be set to "Success" for the effective domain controllers policy:

  • Audit account management
  • Audit directory service access
• The Audit logon events policy must be set to "Success" (or "Success" and "Failure") for the effective domain controllers policy.
• The Advanced audit policy settings can be configured instead of basic.

• The Maximum Security event log size must be set to 4GB. The retention method of the Security event log must be set to “Overwrite events as needed”.

• Auto archiving must be enabled to prevent audit data loss if log overwrites occur.
• The Object-level audit settings must be configured for the Domain, Configuration and Schema partitions.
• The AD tombstoneLifetime attribute must be set to "730".

• If you have an on-premises Exchange server 2019, 2016, 2013 or 2010 in your Active Directory domain, consider that some changes can be made via that Exchange server. To be able to audit and report who made those changes, you should configure the Exchange Administrator Audit Logging (AAL) settings, as described in Configure Exchange Administrator Audit Logging Settings.

• The Administrator Audit Logging settings must be configured (only required for Exchange 2019, 2016, 2013 or 2010).

• In order to audit mailbox access, native audit logging must be enabled for user, shared, equipment, linked, and room mailboxes.

  • Access types: administrator , delegate user

  • Actions: Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create

• If you have enabled automatic log backup for the Security log of your domain controller, you can instruct Netwrix Auditor to clear the old backups automatically. For that, use the CleanAutoBackupLogs registry key, as described in the Registry Keys for Monitoring Active Directory section.

  NOTE: It is recommended that you adjust retention period for the backup files accordingly (default is 50 hours). See Adjust Security Event Log Size and Retention Settings

• To provide for event data collection, the Secondary Logon service must be up and running . Open Administrative Tools → Services, right-click the Secondary Logon service and on the General tab make sure that Startup type for this service is other than Disabled.

• If you plan to audit non-owner mailbox access within your Exchange Online organization, native audit logging must be enabled for user, shared, equipment, linked, and room mailboxes.

  • Access types: administrator , delegate user

  • Actions: Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create

Depending on authentication type (basic or modern) and deployment scenario, you will need to perform related configuration procedures. See For Exchange Online Auditing

• For a security principal (e.g., Everyone), the following options must be configured in the Advanced Security → Auditing settings for the audited shared folders:

  List Folder / Read Data (Files only)	"Success" and "Fail"
  List Folder / Read Data (This folder, subfolders and files)	"Fail"
  Create Files / Write Data*	"Success" and "Fail"
  Create Folders / Append Data*	"Success" and "Fail"
  Write Extended Attributes*	"Success" and "Fail"
  Delete Subfolders and Files*	"Success" and "Fail"
  Delete*	"Success" and "Fail"
  Change Permissions*	"Success" and "Fail"
  Take Ownership*	"Success" and "Fail"

  NOTE: Select "Fail" only if you want to track failure events, it is not required for success events monitoring.

  If you want to get only state-in-time snapshots of your system configuration, limit your settings to the permissions marked with * and set it to "Success" (Apply onto: This folder, subfolders and files).

• The following Advanced audit policy settings must be configured:

  • The Audit: Force audit policy subcategory settings (Windows 7 or later) security option must be enabled.

  • Depending on your OS version, configure the categories as follows:

    Windows Server 2008
    Object Access
    Audit File Share	"Success"
    Audit File System	"Success" and "Failure"
    Audit Handle Manipulation	"Success" and "Failure"
    Logon/Logoff
    Logon	"Success"
    Logoff	"Success"
    Policy Change
    Audit Audit Policy Change	"Success"
    System
    Security State Change	"Success"
    Windows Server 2008 R2 / Windows 7 and above
    Object Access
    Audit File Share	"Success"
    Audit File System	"Success" and "Failure"
    Audit Handle Manipulation	"Success" and "Failure"
    Audit Detailed file share	"Failure"
    Logon/Logoff
    Logon	"Success"
    Logoff	"Success"
    Policy Change
    Audit Audit Policy Change	"Success"
    System
    Security State Change	"Success"

    If you want to get only state-in-time snapshots of your system configuration, limit your audit settings to the following policies:

    Object Access
    Audit File System	"Success"
    Audit Handle Manipulation	"Success"
    Audit File Share	"Success"
    Policy Change
    Audit Audit Policy Change	"Success"

• The following legacy policies can be configured instead of advanced:

  • Audit object access policy must set to "Success" and "Failure".

  • Audit logon events policy must be set to "Success".

  • Audit system events policy must be set to "Success".

  • Audit policy change must be set to "Success".

• The Security event log maximum size must be set to 4GB. The retention method of the Security event log must be set to “Overwrite events as needed”.

• The Remote Registry service must be started.
• The following inbound Firewall rules must be enabled:
  • Remote Event Log Management (NP-In)*
  • Remote Event Log Management (RPC)*
  • Remote Event Log Management (RPC-EPMAP)*
  • Windows Management Instrumentation (ASync-In)
  • Windows Management Instrumentation (DCOM-In)
  • Windows Management Instrumentation (WMI-In)

  • Network Discovery (NB-Name-In)

  • File and Printer Sharing (NB-Name-In)

  • File and Printer Sharing (Echo Request - ICMPv4-In)

  • File and Printer Sharing (Echo Request - ICMPv6-In)

    NOTE: The rules marked with * are required only if you do not want to use network traffic compression for auditing.

    NOTE: If you plan to audit Windows Server 2019 or Windows 10 Update 1803 without network compression service, make sure the following inbound connection rules are enabled:

    • Remote Scheduled Tasks Management (RPC)
    • Remote Scheduled Tasks Management (RPC-EMAP)

• If your file shares contain symbolic links and you want to collect state-in-time data for these shares, the local-to-local, local-to-remote, remote-to-local, and remote-to-remote symbolic link evaluations must be enabled on the computer that hosts Netwrix Auditor Server. See Enable Symbolic Link Evaluations for more information.

• CIFS Network Protocol support is required.

• Create a shared directory /ifs/.ifsvar/audit/ on your cluster.

  NOTE: Use SMB (CIFS) protocol for sharing.

• The following filters for auditing protocol operations that succeeded/failed must be enabled for audited access zones on your cluster:

  • Audit Success: read, write, delete, set_security, rename

  • Audit Failure: read, create, write, delete, set_security, rename

• If your file shares contain symbolic links and you want to collect state-in-time data for these shares, the local-to-local, local-to-remote, remote-to-local, and remote-to-remote symbolic link evaluations must be enabled on the computer that hosts Netwrix Auditor Server. See Enable Symbolic Link Evaluations for more information.

• CIFS Network Protocol support is required.

• Security Event Log Maximum Size must be set to 4GB.

• The Audit object access policy must be set to "Success" and "Failure" in the Group Policy of the OU where the audited EMC VNX/VNXe/Unity/Celerra appliance belongs to.

• Audit settings must be configured for CIFS File Shares. For a security principal (e.g., Everyone), the following options must be set to "Success" and "Fail" in the Advanced Security → Auditing settings for the audited shared folders:

  • List Folder / Read Data (Files only)

  • Create Files / Write Data

  • Create Folders / Append Data

  • Write Attributes

  • Write Extended Attributes

  • Delete Subfolders and Files

  • Delete

  • Change Permissions

  • Take Ownership

• If your file shares contain symbolic links and you want to collect state-in-time data for these shares, the local-to-local, local-to-remote, remote-to-local, and remote-to-remote symbolic link evaluations must be enabled on the computer that hosts Netwrix Auditor Server. See Enable Symbolic Link Evaluations for more information.

• CIFS Network Protocol support is required.

• Qtree Security must be configured. The volume where the audited file shares are located must be set to the "ntfs" or "mixed" security style.

• On Data ONTAP 7 and Data ONTAP 8 in 7-mode:

  • The httpd.admin.enable or the httpd.admin.ssl.enable option must be set to "on". For security reasons, it is recommended to configure SSL access and enable the httpd.admin.ssl.enable option.

  • The cifs.audit.liveview.enable option must be set to "off".

  • The cifs.audit.enable and the cifs.audit.file_access_events.enable options must be set to "on".

  • Unless you are going to audit logon events, the cifs.audit.logon_events.enable and the cifs.audit.account_mgmt_events.enable options must be set to "off".

  • The Security log must be configured:

    • cifs.audit.logsize 300 000 000 (300 MB)

    • cifs.audit.autosave.onsize.enable on

    • cifs.audit.autosave.file.extension timestamp

• On Clustered Data ONTAP 8 and ONTAP 9:

  • External Web Services: true.

    For security reasons, it is recommended to enable only SSL access.

  • Firewall policy for data interfaces must be configured to allow ONTAPI protocol connections.

  • Audit settings must be configured as follows:

    Auditing State:	true
    Log Destination Path:	/audit
    Categories of Events to Audit:	file-ops, cifs-logon-logoff
    Log Format:	evtx
    Log File Size Limit:	300MB

• Audit settings must be configured for CIFS File Shares. For a security principal (e.g., Everyone), the following options must be set to "Success" and "Fail" in the Advanced Security → Auditing settings for the audited shared folders:

  • List Folder / Read Data (Files only)
  • Create Files / Write Data
  • Create Folders / Append Data
  • Write Extended Attributes
  • Delete Subfolders and Files
  • Delete
  • Change Permissions
  • Take Ownership

• If your file shares contain symbolic links and you want to collect state-in-time data for these shares, the local-to-local, local-to-remote, remote-to-local, and remote-to-remote symbolic link evaluations must be enabled on the computer that hosts Netwrix Auditor Server. See Enable Symbolic Link Evaluations for more information.

For Cisco ASA:

• The global configuration mode is selected.

• The logging enable option is selected on the Cisco ASA device.

• The logging host parameter is set to the host address of the audited CiscoASA device. And UDP port (for, example 514) is used for sending messages.

  NOTE: Do not select the EMBLEM format logging for the syslog server option.

• The logging timestamp option enabled.
• The logging trap option is selected from 1 to 6 inclusive.

For Cisco IOS:

• The global configuration mode is selected.
• The logging timestamp option enabled.
• The logging trap option is selected from 1 to 6 inclusive.
• The logging host parameter is set to the host address where the service is going to be installed. And UDP port (for, example 514) is used for sending messages.

For Fortinet Fortigate:

The target Fortinet Fortigate device must be configured via Command Line Interface (CLI) as described in the Configure Fortinet FortiGate Devices section.

For PaloAlto:

Create a Syslog Server profile and syslog forwarding for the target PaloAlto device via Web Interface as described in the Configure PaloAlto Devices section.

For Juniper:

The target Juniper device must be configured via JunOS Command Line Interface (CLI) as described in the Configure Juniper Devices section.

For SonicWall:

Configure log settings, depending on your device type. See Configure Network Devices for Monitoring for more information.

• The Audit Log Trimming setting must be set to "Yes" and Specify the number of days of audit log data to retain must be set to 7 days.
• The Editing users and permissions option must be enabled.
• For auditing read access events only: The Opening or downloading documents, viewing items in lists, or viewing item properties option must be enabled.

• The SPAdminV4 service must be enabled (required for the Netwrix Auditor Core Service for SharePoint installation).

• The Remote Registry and the Windows Management Instrumentation (WMI) service must be started.
• The following advanced audit policy settings must be configured:
  • The Audit: Force audit policy subcategory settings (Windows 7 or later) security option must be enabled.
  • For Windows Server 2008—The Object Access, Account Management, and Policy Change categories must be disabled while the Security Group Management, User Account Management, Handle Manipulation, Other Object Access Events, Registry, File Share, and Audit Policy Change subcategories must be enabled for "Success".
  • For Windows Server 2008 R2 / Windows 7 and above—Audit Security Group Management, Audit User Account Management, Audit Handle Manipulation, Audit Other Object Access Events, Audit Registry, Audit File Share, and Audit Audit Policy Change advanced audit policies must be set to "Success".

• The following legacy audit policies can be configured instead of advanced: Audit object access, Audit policy change, and Audit account management must be set to "Success".

• The Enable Persistent Time Stamp local group policy must be enabled.
• The Application, Security, and System event log maximum size must be set to 4 GB. The retention method must be set to “Overwrite events as needed”.
• For auditing scheduled tasks, the Microsoft-Windows-TaskScheduler/Operational event log must be enabled and its maximum size must be set to 4 GB. The retention method of the log must be set to “Overwrite events as needed”.
• For auditing DHCP, the Microsoft-Windows-Dhcp-Server/Operational event log must be enabled and its maximum size must be set to 4 GB. The retention method of the log must be set to “Overwrite events as needed”.
• For auditing DNS, the Microsoft-Windows-DNS-Server/Audit event log must be enabled and its maximum size must be set to 4 GB. The retention method of the log must be set to “Overwrite events as needed”.
• The following inbound Firewall rules must be enabled:
  • Remote Event Log Management (NP-In)
  • Remote Event Log Management (RPC)
  • Remote Event Log Management (RPC-EPMAP)
  • Windows Management Instrumentation (ASync-In)
  • Windows Management Instrumentation (DCOM-In)
  • Windows Management Instrumentation (WMI-In)

  • Network Discovery (NB-Name-In)

  • File and Printer Sharing (NB-Name-In)

  • Remote Service Management (NP-In)

  • Remote Service Management (RPC)

  • Remote Service Management (RPC-EPMAP)

  • Performance Logs and Alerts (DCOM-In)
  • Performance Logs and Alerts (TCP-In)

  NOTE: If the audited servers are behind the Firewall, review the list of protocols and ports required for Netwrix Auditor and make sure that these ports are opened. See Protocols and Ports Required for Netwrix Auditor Server for more information.

• For auditing removable storage media, two Event Trace Session objects must be created.

NOTE: If you want to use Network traffic compression, make sure that the Netwrix Auditor Server is accessible by its FQDN name.

• For Windows-based platforms: the Remote Registry service must be running and its Startup Type must be set to "Automatic".

• For Syslog-based platforms: the Syslog daemon must be configured to redirect events.

• The Remote Registry service must be running and its Startup Type must be set to "Automatic".

• The Microsoft-IIS-Configuration/Operational log must be enabled and its maximum size must be set to 4 GB. The retention method of the log must be set to “Overwrite events as needed”.

• The following policies must be set to "Success" and "Failure" for the effective domain controllers policy:

  • Audit Logon Events
  • Audit Account Logon Events
• The Audit system events policy must be set to "Success" for the effective domain controllers policy.
• The Advanced audit policy settings can be configured instead of basic.

• The Maximum Security event log size must be set to 4GB. The retention method of the Security event log must be set to “Overwrite events as needed” or "Archive the log when full".

• The following Windows Firewall inbound rules must be enabled:

  • Remote Event Log Management (NP-In)
  • Remote Event Log Management (RPC)
  • Remote Event Log Management (RPC-EPMAP)