Netwrix Auditor delivers complete visibility into your IT infrastructure. Its convenient interactive search interface enables you to investigate incidents and browse data collected across the entire IT infrastructure. When running a search, you are not limited to a certain data source, change type, or object name. You can create flexible searches that provide you with precise results on who changed what, and when and where each change was made.
NOTE: To review collected data, you must be assigned the Global administrator or Global reviewer Netwrix Auditor role. Users with the Reviewer role on a certain plan or folder have limited access to data—only within their delegated scope.
This functionality is currently available for the following data sources:
- Active Directory
- Azure AD
- Exchange Online
- File Servers (Windows File Servers, EMC, and NetApp)
- Network Devices
- Oracle Database
- SharePoint Online
- SQL Server
- Windows Server
- Group Policy
- Logon Activity
- User Activity (Video)
- Netwrix API—data imported to the Audit Database from other sources using Netwrix Auditor Integration API
Netwrix Auditor Self-Audit
Netwrix Auditor executes interactive search queries against data stored in the audit databases, that is, on data collected in the last 180 days (default retention period). If you want to investigate incidents that occurred more than 180 days ago, then you should import that data from the Long-Term Archive. See Investigations.
Browsing Your Audit Data
On the main Netwrix Auditor page, navigate to Search. There you can use the UI controls to run the variety of search queries that will fecth you exactly the data you need.
To view all audit data stored in all Audit Databases by all monitoring plans, click Search button in the center.
NOTE: Be aware that this type of search query may take time due to a large amount of data. Thus, it is recommended that instead of retrieveing a massive data set, you pre-configure your search query using filters.
By default, Netwrix Auditor shows only the top 2,000 entries in the search results.
To pre-configure your search query before you click Search, you can add filters. Then the search query will return only data matching your filtering criteria. See Use Filters (Simple Mode)
You can also use advanced filtering capabilities based on regular expressions (they involve filter fields and conditions). See Advanced Mode for details.
- By default, search results are open in the same window, so the subsequent search results will overwrite the previous search results. To view them in different windows, click Open in new window.
- In addition, you can customize your view by selecting columns to display. See Customize View
Use search results for your own needs: save, share, create search-based alerts, subscribe to periodic delivery of search query results, etc. See Save Search Query Results for more information.
You can also use the Search window to examine details for the selected activity record, or watch a video recording (for User Activity data).
Examining Activity Record in Detail
To work with a certain activity record:
- Select the activity record which details you want to review. Its key fields and user (initiator) account details will be displayed in the right pane.
- To display all fields and copy them if necessary, click the Full screen... link on the right.
- You can instruct Netwrix Auditor to include or exclude this activity record from the search query results, as described in the Include and Exclude Data
If you are examining User Activity entries, click the Show video... link below the entry. Review details and play a video by clicking the Show video on the right.
If you do not see the expected information in search results, try the following:
- Verify the Audit Database retention and SQL Server settings.
- Make sure that data collection is configured properly in the monitoring plan settings.
- Check the required audit settings in your monitored infrastructure.
- Verify the data collecting account.