Actions, Object Types and Attributes Monitored on File Servers

Netwrix Auditor can monitor for operations with files and folders on the storage systems, collect state-in-time snapshots and track changes to the object attributes. This section provides detailed information on these activities.

Monitored Operations

The table below lists the operations with files and folders that can be monitored and reported by Netwrix Auditor on the storage systems. For details on Nutanix Files monitoring, see Monitoring Nutanix Files

NOTE: Actions marked with an asterisk (*) are reported for EMC Isilon only. (Consider that monitoring and reporting of other EMC storage systems may not provide the results you expect due to native EMC audit peculiarities.)

Actions marked with a double asterisks (**) are reported for NetApp Clustered Data ONTAP 8 and ONTAP 9 only.

Action Windows-based NetApp EMC Nutanix Files
  file folder share file folder share file folder share file folder share
Added + + + + + + + + + + + +
Add (failed attempt) + + +* +* + +
Modified + + + + + + + + + + + +
Modify (failed attempt) + + + + + + + + +
Moved + + +** +** +* +* + +
Move (failed attempt) +** +** +* +*
Read + + - + + +
Read (failed attempt) + + + + + + + + +
Renamed + + +** +** +* +* + +
Renamed (failed attempt) +** +** +* +*
Removed + + + + + + + + + + + +
Remove (failed attempt) + + + + + + + +
Copied +

State-in-time Data

State-in-time data collection is supported for files, folders and shares on Windows-based file servers, EMC and NetApp storage systems and Nutanix File Servers. Remember to select the corresponding option in the data source settings within the monitoring plan. (See this section for details.)

Monitored Object Attributes

The table below lists the object types and attributes that can be monitored by Netwrix Auditor.

NOTE: For more information on the attributes marked with (*) , refer to this Microsoft article.

Object type Attributes


  • Attributes*
  • Location
  • Name
  • Ownership
  • Permissions:

    • Group Permissions
    • User Permissions
  • Primary Group
  • Security descriptor control flags

  • Size


  • Attributes*

    NOTE: The Reparse point attribute content is available for reviewing only when State-In-Time snapshot collection is enabled. Mind that reparse point content changes cannot be audited.

  • Location
  • Name
  • Ownership
  • Permissions:

    • Group Permissions
    • User Permissions
  • Primary Group
  • Security descriptor control flags


  • Access-based Enumeration

  • Caching

  • Continuous Availability

  • Description

  • Enable BranchCache

  • Encrypt Data Access

  • Local Path
  • User Limit

In addition to general object attributes, Netwrix Auditor generates the following attributes associated with the object and reserved for internal use:

  • Session ID — This attribute is based on the user’s logon ID and timestamp of the related logon event. Being unique for a user’s logon session, it usually helps to distinguish the events and changes that occurred within that session.
  • Statement ID — This attribute appears if an object was moved/renamed due to its root object modifications.

Considerations and Limitations

Currently, the following considerations refer to file servers data collection and reporting:

  1. For NetApp appliances and Dell EMC storages, changes to the file shares are reported without who. The following is displayed instead:
    • for NetApp appliances — System or Not applicable
    • for Dell EMC storages — Not applicable
  2. For storage systems mentioned above, Netwrix Auditor displays not the actual time when the event occurred but data collection time.
  3. For Dell EMC Isilon, auditing of System zone is not supported. As stated by Dell, this zone should be reserved for configuration access only. Current data should be stored in other access zones. See this guide for more information.
  4. Limitations for Windows File Server are listed in the Prepare for Windows File Server Monitoring section.
  5. Limitations for Nutanix Files Server are listed in the Monitoring Nutanix Files section.

Monitoring Nutanix Files

The following considerations refer to Nutanix Files auditing and reporting:

  • Auditing of NFS file shares in not supported due to known limitations.
  • Currently, not every detail about permission and attribute changes may be provided by Nutanix Files, so they cannot be reported by Netwrix Auditor.
  • As for the state-in-time data collection, note that effective permissions (as a combination of NTFS and Shared permissions) are not calculated properly for the local Administrator group members.