Go Up
You are here: AdministrationMonitored actions, object types and attributesFile Servers

Actions, Object Types and Attributes Monitored on File Servers

Netwrix Auditor can monitor for operations with files and folders on the storage systems, collect state-in-time snapshots and track changes to the object attributes. This section provides detailed information on these activities.

Monitored Operations

The table below lists the operations with files and folders that can be monitored and reported by Netwrix Auditor on the storage systems. For details on Nutanix Files monitoring, see Monitoring Nutanix Files

NOTE: Actions marked with an asterisk (*) are reported for EMC Isilon only. (Consider that monitoring and reporting of other EMC storage systems may not provide the results you expect due to native EMC audit peculiarities.)

Actions marked with a double asterisks (**) are reported for NetApp Clustered Data ONTAP 8 and ONTAP 9 only.

Action Windows-based NetApp EMC Nutanix Files
  file folder share file folder share file folder share file folder share
Added + + + + + + + + + + + +
Add (failed attempt) + + +* +* + +
Modified + + + + + + + + + + + +
Modify (failed attempt) + + + + + + + + +
Moved + + +** +** +* +* + +
Move (failed attempt) +** +** +* +*
Read + + - + + +
Read (failed attempt) + + + + + + + + +
Renamed + + +** +** +* +* + +
Renamed (failed attempt) +** +** +* +*
Removed + + + + + + + + + + + +
Remove (failed attempt) + + + + + + + +
Copied +

Considerations and Limitations

Currently, the following considerations refer to file servers data collection and reporting:

  1. For the Windows-based file servers running Windows Server 2008, NetApp appliances and EMC storages, changes to file shares are reported without who. The following is displayed instead:
    • for Windows Server - "System"
    • for NetApp appliances - "System" or "Not applicable"
    • for EMC storages - "Not applicable"
  2. For storage systems mentioned above, Netwrix Auditor displays not the actual time when the event occurred but data collection time.
  3. If a file server is running Windows Server 2008 SP2, Netwrix Auditor may be unable to retrieve workstation name for failed read attempts.
  4. For Windows File Servers, the product may report on several unexpected changes with "who" reported as "system" due to native Windows File Servers audit peculiarities. If you do not want to see these changes, exclude them the audit, using omit lists. See Exclude Data from File Servers Monitoring Scope for more information.
  5. Due to Windows limitations, the copy/rename/move actions on remote file shares may be reported as two sequential actions: copying – as adding a new file and reading the initial file; renaming\moving – as removing the initial file and adding a new file with the same name.
  6. To report on copy actions on remote file shares, make sure that audit of successful read operations is enabled. See Configure Object-Level Access Auditing for details.
  7. If planning to monitor folders, consider that the Reparse point attribute content will be available for reviewing only if you have Collect data for state-in-time reports option selected for the data source in the monitoring plan (see File Servers for details). Also, mind that reparse point content changes cannot be audited.

State-in-time Data

State-in-time data collection is supported for files, folders and shares on Windows-based file servers, EMC and NetApp storage systems and Nutanix File Servers. Remember to select the corresponding option in the data source settings within the monitoring plan. (See this section for details.)

Monitored Object Attributes

The table below lists the object types and attributes that can be monitored by Netwrix Auditor.

NOTE: For more information on the attributes marked with (*) , refer to this Microsoft article.

Object type Attributes


  • Attributes*
  • Location
  • Name
  • Ownership
  • Permissions:

    • Group Permissions
    • User Permissions
  • Primary Group
  • Security descriptor control flags

  • Size


  • Attributes*

    NOTE: The Reparse point attribute content is available for reviewing only when State-In-Time snapshot collection is enabled. Mind that reparse point content changes cannot be audited.

  • Location
  • Name
  • Ownership
  • Permissions:

    • Group Permissions
    • User Permissions
  • Primary Group
  • Security descriptor control flags


  • Access-based Enumeration

  • Caching

  • Continuous Availability

  • Description

  • Enable BranchCache

  • Encrypt Data Access

  • Local Path
  • User Limit

In addition to general object attributes, Netwrix Auditor generates the following attributes associated with the object and reserved for internal use:

  • Session ID—GUID generated by the product and can be helpful if you have to review large amount of changes and need to distinguish those made within one session.
  • Statement ID—This attribute appears when an object was moved/renamed due to its root object modifications.

Monitoring Nutanix Files

The following considerations refer to Nutanix Files auditing and reporting:

  • Auditing of NFS file shares in not supported due to known limitations.
  • Currently, not every detail about permission and attribute changes may be provided by Nutanix Files, so they cannot be reported by Netwrix Auditor.
  • As for the state-in-time data collection, note that effective permissions (as a combination of NTFS and Shared permissions) are not calculated properly for the local Administrator group members.

Go Up