If you have multiple file shares frequently accessed by a significant number of users, it is reasonable to audit object changes only. Tracking all events may result in too much data written to the audit logs, whereas only some part of it may be of any interest. Note that audit flags must be set on every file share you want to audit.
If you are going to monitor an entire file server, consider the following:
If you specify a single computer name, Netwrix Auditor will monitor all shared folders on this computer. Netwrix Auditor does not track content changes on folders whose name ends with the $ symbol (which are either hidden or administrative/system folders). In order for the report functionality to work properly, you need to configure audit settings for each share folder on the computer separately. Otherwise, reports will contain limited data and warning messages.
- For your convenience, if your file shares are stored within one folder (or disk drive), you can configure audit settings for this folder only. As a result, you will receive reports on all required access types applied to all file shares within this folder. It is not recommended to configure audit settings for system disks.
You can configure your file shares for monitoring in one of the following ways:
Automatically when creating a monitoring plan
If you select to automatically configure audit in the target environment, your current audit settings will be periodically checked and adjusted if necessary.
Manually. To configure your file servers for monitoring manually, perform the following procedures:
NOTE: With auto-audit enabled, initial SACL configuration for DFS replication links may take longer than manual configuration - however, this will help to minimize the impact on the DFS backlog and the replication process in general.
Also, remember to do the following:
- Configure Data Collecting Account, as described in Data Collecting Account
- Configure required protocols and ports, as described in Protocols and Ports Required for Monitoring File Servers.
File Servers and Antivirus
It is strongly recommended that you add the following executables to the list of exclusions for your antivirus:
Otherwise, significant delays and performance issues may occur while collecting data.
This happens because these executables access a large number of file server objects (files, folders), fetching audit data — and your antivirus may treat this as a suspicious behavior.
NOTE: For some antiviruses (for example, Trend Micro) you may need to specify the folders to exclude, that is, C:\Windows\SysWOW64\NwxExeSvc\. Refer to your antivirus documentation for details.