SQL Server and Databases

Netwrix Auditor uses SQL Server databases as operational storages that keep audit data for analysis, search and reporting purposes. Supported versions are SQL Server 2008 and later (Reporting Services versions should be 2008 R2 or later).

  • You will be prompted to configure the default SQL Server instance when you create the first monitoring plan; also, you can specify it Netwrix Auditor settings.
  • You can configure Netwrix Auditor to use an existing instance of SQL Server, or deploy a new instance, as described in the Default SQL Server Instance section.

For evaluation and PoC projects you can deploy Microsoft SQL Server 2016 SP2 Express Edition with Advanced Services (sufficient for report generation).

For production deployment in bigger environments, it is recommended to use Microsoft SQL Server Standard Edition or higher because of the limited database size and other limitations of Express Edition.

Make your choice based on the size of the environment you are going to monitor, the number of users and other factors. This refers, for example, to Netwrix Auditor for Network Devices: if you need to audit successful logons to these devices, consider that large number of activity records will be produced, so plan for SQL Server Standard or Enterprise edition (Express edition will not fit).

Netwrix Auditor supports automated size calculation for all its databases in total, displaying the result, in particular, in the Database Statistics widget of the Health Status dashboard. This feature, however, is supported only for SQL Server 2008 SP3 and later.


To store data from the data sources included in the monitoring plan, the Monitoring Plan Wizard creates an Audit Database. Default database name is Netwrix_Auditor_<monitoring_plan_name>.

NOTE: It is strongly recommended to target each monitoring plan at a separate database.

Also, several dedicated databases are created automatically on the default SQL Server instance. These databases are intended for storing various data, as listed below.

Database name Description


Stores alerts.


Stores activity records collected using Integration API.


Stores internal event records.


Intended for integration with Netwrix Data Classification.

This database is always created but is involved in the workflow only if the DDC Provider is enabled. See this article for more information.


Stores views to provide cross-database reporting.


Stores data imported from Long-Term Archive.


Stores data required for overview reports.


Stores data collected by Netwrix Auditor self-audit

(optional, created if the corresponding feature is enabled).

These databases usually do not appear in the UI; they are only listed in the Database statistics widget of the Health Status dashboard. If you need their settings to be modified via SQL Server Management Studio, please contact your database administrator. For example, you may need to change logging and recovery model (by default, it is set to simple for all these databases, as well as for the Audit databases).

See next: