File Servers

Complete the following fields:

Option Description

Monitor this data source and collect activity data

Enable monitoring of the selected data source and configure Netwrix Auditor to collect and store audit data.

Specify actions for monitoring

Specify actions you want to track and auditing mode. Review the following for additional information:

Successful Use this option to track changes to your data. Helps find out who made changes to your files, including their creation and deletion.
Failed Use this option to detect suspicious activity on your file server. Helps identify potential intruders who tried to modify or delete files, etc., but failed to do it.
Read access


Use this option to supervise access to files containing confidential data intended for privileged users. Helps identify who accessed important files besides your trusted users.

NOTE: Enabling this option on public shares will result in high number of events generated on your file server and the amount of data written to the AuditArchive.


Use this option to track suspicious activity. Helps find out who was trying to access your private data without proper justification.

NOTE: Enabling this option on public shares will result in high number of events generated on your file server and the amount of data written to the AuditArchive.

NOTE: Actions reported by Netwrix Auditor vary depending on the file server type and the audited object (file, folder, or share). The changes include creation, modification, deletion, moving, etc. To track the copy action, enable successful read access and change auditing. See Monitored Object Types, Actions, and Attributes for more information.

Specify data collection method

You can enable network traffic compression. If enabled, a Compression Service will be automatically launched on the audited computer, collecting and prefiltering data. This significantly improves data transfer and minimizes the impact on the target computer performance.

NOTE: To collect data from 32-bit operating systems, network traffic compression must be disabled.

To collect data from Windows Failover Cluster, network traffic compression must be enabled.

The monitoring of Scale-Out failover cluster File Server is not supported.

See File Servers for more information.

Configure audit settings

You can adjust audit settings automatically. Your current audit settings will be checked on each data collection and adjusted if necessary.

NOTE: This method is recommended for evaluation purposes in test environments. If any conflicts are detected with your current audit settings, automatic audit configuration will not be performed.

Do not select the checkbox if you want to configure audit settings manually. For a full list of audit settings required to collect comprehensive audit data and instructions on how to configure them, refer to Configure IT Infrastructure for Auditing and Monitoring.

Some settings cannot be configured automatically. Netwrix Auditor has the following limitations depending on your file server type.

File Server SACL Check SACL Adjust Policy Check Policy Adjust Log Check Log Adjust
Windows + + + + + +
EMC Celerra\VNX\Unity + + + +
EMC Isilon n/a n/a + n/a n/a
NetApp Data ONTAP 7 and 8 in 7-mode + + + + + +
NetApp Clustered Data ONTAP 8 and ONTAP 9 + + + + +
Nutanix Files n/a n/a + + n/a n/a

Collect data for state-in-time reports

Configure Netwrix Auditor to store daily snapshots of your system configuration required for further state-in-time reports generation.See State–in–Time Reports for more information.

When auditing file servers, changes to effective access permissions can be tracked in addition to audit permissions. By default, Combination of file and share permissions is tracked. File permissions define who has access to local files and folders. Share permissions provide or deny access to the same resources over the network. The combination of both determines the final access permissions for a shared folder—the more restrictive permissions are applied. Upon selecting Combination of file and share permissions only the resultant set will be written to the Audit Database. Select File permissions option too if you want to see difference between permissions applied locally and the effective file and share permissions set. To disable auditing of effective access, unselect all checkboxes under Include details on effective permissions.

In the Manage historical snapshots section, you can click Manage and select the snapshots that you want to import to the Audit Database to generate a report on the data source's state at the specific moment in the past.

NOTE: You must be assigned the Global administrator or the Global reviewer role to import snapshots.

Move the selected snapshots to the Snapshots available for reporting list using the arrow button.

NOTE: The product updates the latest snapshot on the regular basis to keep users up to date on actual system state. Only the latest snapshot is available for reporting in Netwrix Auditor. If you want to generate reports based on different snapshots, you must import snapshots to the Audit Database.


Specify monitoring restrictions

Select the users to be excluded from search results, reports and Activity Summaries. To add users to the list, click Add and provide user name in the domain\user format: mydomain\user1.

  • Use NetBIOS domain name format.
  • To exclude events containing “System” instead of initiator's account name in the “Who” column, enter "System" value to the list.

TIP: In addition to the restrictions for a monitoring plan, you can use the *.txt files to collect more granular audit data. Note that the new monitoring scope restrictions apply together with previous exclusion settings configured in the *.txt files. Review the following for more information: Exclude Objects from Monitoring Scope

Review your data source settings and click Add to go back to your plan. The newly created data source will appear in the Data source list. As a next step, click Add item to specify an object for monitoring.

Windows File Server AD Container


IP Range

Windows File Share

Dell EMC storage

EMC Isilon

EMC VNX/VNXe/Celerra/Unity

NetApp storage NetApp
Nutanix File Server Nutanix SMB Shares

By default, Netwrix Auditor will monitor all shares stored in the specified location, except for hidden shares (both default and user-defined). If you want to monitor user-defined hidden shares, select the related option in the monitored item settings.

Administrative hidden shares like default system root or Windows directory (ADMIN$), default drive shares (D$, E$), etc. will not be monitored. See Add Items for Monitoring for more information.

IMPORTANT! Before adding your monitored items, examine the considerations, limitations and recommendations provided in the following sections: